SSL
Validates SSL/TLS certificates and returns expiry, issuer, and subject information. This node is essential for preventing certificate expiration incidents, ensuring secure connections, monitoring certificate authorities, and maintaining SSL/TLS security compliance.
Common Properties
- Name - The custom name of the node.
- Color - The custom color of the node.
- Delay Before (sec) - Waits in seconds before executing the node.
- Delay After (sec) - Waits in seconds after executing node.
- Continue On Error - Automation will continue regardless of any error. The default value is false.
info
If the ContinueOnError property is true, no error is caught when the project is executed, even if a Catch node is used.
Inputs
- URL - Domain name or URL to check SSL certificate. Protocol prefixes (http://, https://) are automatically stripped.
- Port - Port number for SSL connection (default: 443). Can be provided as number or string.
Options
- Timeout - Timeout in seconds for the SSL connection (default: 60 seconds)
Output
- Result - SSL certificate validation result object containing:
- valid (boolean) - Whether the certificate is currently valid (not expired)
- expiresIn (number) - Days until certificate expires (negative if already expired)
- expiryDate (string) - Certificate expiration date in RFC3339 format
- issuer (string) - Certificate Authority that issued the certificate
- subject (string) - Common Name (CN) of the certificate subject
How It Works
The SSL node establishes a TLS connection to verify certificate validity. When executed, the node:
- Cleans the URL by removing protocol prefixes (http://, https://)
- Validates the port number is within valid range (1-65535)
- Establishes a TLS connection to the specified host and port
- Retrieves the peer certificate from the connection
- Verifies the hostname matches the certificate
- Calculates days until expiration
- Extracts issuer and subject information
- Returns comprehensive certificate information
Example Use Cases
Monitor Certificate Expiration
Check when SSL certificates will expire to prevent service disruptions:
// Input
URL: "www.example.com"
Port: 443
// Output
{
"valid": true,
"expiresIn": 45.5, // 45.5 days until expiration
"expiryDate": "2025-03-15T23:59:59Z",
"issuer": "Let's Encrypt",
"subject": "www.example.com"
}
Detect Expired Certificates
Identify websites with expired SSL certificates:
// Input
URL: "old-site.example.com"
Port: 443
// Output
{
"valid": false,
"expiresIn": -15.2, // Expired 15 days ago
"expiryDate": "2024-12-08T23:59:59Z",
"issuer": "DigiCert Inc",
"subject": "old-site.example.com"
}
// Alert: Certificate expired! Immediate action required.
Certificate Authority Audit
Monitor which Certificate Authorities are in use:
// Check multiple domains
// Extract "issuer" field from each
// Generate report of all CAs in use
// Identify unauthorized or deprecated CAs
Wildcard Certificate Validation
Verify wildcard certificates are properly configured:
// Input
URL: "api.example.com"
Port: 443
// Output
{
"valid": true,
"expiresIn": 90,
"expiryDate": "2025-03-23T23:59:59Z",
"issuer": "Let's Encrypt",
"subject": "*.example.com" // Wildcard certificate
}
Non-Standard Port SSL Check
Monitor SSL on custom ports (not 443):
// Input
URL: "mail.example.com"
Port: 8443 // Custom HTTPS port
// Output
{
"valid": true,
"expiresIn": 60,
"expiryDate": "2025-02-22T23:59:59Z",
"issuer": "Sectigo",
"subject": "mail.example.com"
}
Certificate Renewal Verification
Confirm new certificates are installed after renewal:
// Before renewal
// Check expiryDate and expiresIn
// After renewal
// Check again
// Verify expiryDate is updated (extended by ~90 days)
// Confirm issuer is correct
Certificate Lifecycle Management
Expiration Thresholds
Recommended alert thresholds based on expiresIn:
- 90+ days - No action needed
- 60-89 days - Plan renewal
- 30-59 days - Schedule renewal
- 15-29 days - Urgent: Renew soon
- 7-14 days - Critical: Renew immediately
- 1-6 days - Emergency: Certificate about to expire
- < 1 day - Alert: Same-day expiration
- Negative - CRITICAL: Certificate expired
Best Practices
- Monitor 30 Days Before - Start alerts 30 days before expiration
- Multiple Notifications - Alert at 30, 14, 7, 3, and 1 day before expiration
- Auto-Renewal - Use with certificate auto-renewal systems (Let's Encrypt)
- Backup Certificates - Monitor both primary and backup certificates
- Certificate Pinning - Track issuer changes to detect unauthorized certificate replacements
Tips for Effective Use
- Regular Monitoring - Check certificates weekly or monthly
- Staging Environments - Don't forget to monitor staging/development certificates
- Subdomain Wildcards - Verify wildcard certificates cover all necessary subdomains
- Port Variations - Check SSL on all ports where it's used (443, 8443, 8080, etc.)
- Issuer Tracking - Monitor issuer field for unexpected CA changes (potential security issue)
- Subject Verification - Ensure subject matches the expected domain
- Hostname Validation - The node automatically validates hostname; errors indicate misconfiguration
Common Errors and Solutions
Error: "URL cannot be empty"
Cause: The URL input is missing or contains an empty string.
Solution: Ensure the URL input variable contains a valid domain name or URL.
Error: "Port cannot be empty"
Cause: The Port input is missing or null.
Solution:
- Provide a port number (default: 443)
- Ensure the port variable is set
Error: "Invalid port number"
Cause: Port number is outside valid range (1-65535) or invalid format.
Solution:
- Use port 443 for standard HTTPS
- Verify port number is between 1 and 65535
- Ensure port is numeric (not text)
Error: "ErrConn" - Connection Failed
Cause: Unable to establish TLS connection to the specified host and port.
Solution:
- Verify the domain is correct and accessible
- Check that SSL/TLS is enabled on the specified port
- Confirm firewall allows outbound connections
- Increase timeout for slow connections
- Verify the server is online (use Ping node first)
- Check if port is open (use Port node)
Error: "ErrHostname" - Hostname Verification Failed
Cause: Certificate subject doesn't match the provided hostname.
Solution:
- Check certificate subject in output (if partially successful)
- Verify the URL matches the certificate's Common Name (CN)
- For wildcard certificates, ensure subdomain is covered
- Confirm certificate is installed on correct server
- Investigate potential man-in-the-middle attack or misconfiguration
Valid: false with Negative expiresIn
Cause: SSL certificate has expired.
Solution:
- Renew the certificate immediately
- Check certificate renewal processes
- Verify auto-renewal is working (Let's Encrypt, etc.)
- Install the new certificate
- Clear old cached certificates
Connection Timeout
Cause: TLS handshake took longer than the specified timeout.
Solution:
- Increase the Timeout value
- Check server responsiveness
- Verify network connectivity
- Test with higher timeout (60-120 seconds)
Integration Examples
Automated Certificate Monitoring System
// List of all domains to monitor
const domains = [
{url: "www.example.com", port: 443},
{url: "api.example.com", port: 443},
{url: "admin.example.com", port: 8443},
{url: "mail.example.com", port: 443}
];
// For each domain:
// Check SSL certificate
// If expiresIn < 30:
// - Add to renewal queue
// - Send notification
// If valid: false:
// - Send urgent alert
// - Create incident ticket
// Generate daily certificate status report
Certificate Expiration Dashboard
// Check all certificates daily
// Store results in database
// Create dashboard showing:
// - Certificates expiring this week (red)
// - Certificates expiring this month (yellow)
// - Valid certificates (green)
// - Expired certificates (critical alert)
// Email summary to security team
Multi-Environment Certificate Audit
// Check same domain across environments
const environments = [
{env: "Production", url: "app.example.com"},
{env: "Staging", url: "staging.app.example.com"},
{env: "Development", url: "dev.app.example.com"}
];
// Verify:
// - All environments have valid certificates
// - No environment uses expired certificates
// - Renewal schedules are aligned
Certificate Authority Compliance Check
// Check SSL for all company domains
// Verify issuer is from approved CA list
const approvedCAs = [
"Let's Encrypt",
"DigiCert Inc",
"Sectigo"
];
// If issuer not in approved list:
// - Flag for security review
// - Investigate unauthorized certificate
Pre-Deployment SSL Verification
// Before promoting to production:
// 1. Check new domain's SSL certificate
// 2. Verify valid: true
// 3. Verify expiresIn > 30 days
// 4. Verify issuer is approved CA
// 5. Verify subject matches domain
// Only deploy if all checks pass
Certificate Renewal Automation Workflow
// Daily check:
// If expiresIn < 30:
// 1. Trigger certificate renewal (certbot, ACME, etc.)
// 2. Wait for renewal to complete
// 3. Check SSL again
// 4. Verify expiresIn increased (90 days for Let's Encrypt)
// 5. Send success/failure notification
// 6. Log renewal event
Load Balancer SSL Monitoring
// Check SSL on all load balancer endpoints
// Verify:
// - All endpoints have same certificate
// - Certificate is valid
// - Expiration dates match
// Detect configuration drift
Security Incident Detection
// Monitor SSL certificates for unexpected changes
// Store baseline: issuer, subject, expiryDate
// On each check, compare with baseline:
// - If issuer changed: Potential security incident
// - If subject changed: Misconfiguration or attack
// - If expiryDate shortened: Investigate
// Alert security team immediately
SLA Compliance Monitoring
// Ensure 100% uptime of valid SSL
// Check every hour
// Track:
// - Total checks
// - Valid certificate count
// - Invalid certificate count
// Calculate uptime percentage
// Alert if SLA threshold breached
Certificate Vendor Management
// Track certificate costs and renewals
// Group by issuer
// Generate report:
// - Certificates per vendor
// - Renewal dates per vendor
// - Budget planning for renewals
// Optimize vendor selection