While there is no approach that will completely protect you against expired certificates, the Shoreline Certificate Rotation Op pack comes pretty close. First, Shoreline builds a real-time inventory of your fleet and pings every HTTP end-point on your fleet asking it when its certificate will expire. This is a good first step, but sometimes servers are hidden behind a load balancer. So as a second check, Shoreline runs a Linux command on every VM and every container, once an hour, also looking for soon to expire certificates.
Once an expiring certificate is identified, the next step is rotating the certificate. There are hundreds of certificate providers, so it's not practical for Shoreline to provide scripts for rotating certificates with each service provider. Shoreline does, however, provide an out-of-box script for Let’s Encrypt and is working to expand this to other common providers. The script will both provision and propagate the new certificates wherever they are needed. Our customers can use this script as a placeholder and template that can be updated or replaced with scripts they build for other certificate providers.
This Op Pack is a great way for Shoreline customers to decrease the risk of an expired certificate. At a minimum, it provides out-of-the-box alarms that look for expiring certificates in two separate ways. It does this in a very distributed way that addresses many of the common causes of missed expiring certificates. Once the alarm fires, it provides an out of the box solution for Let’s Encrypt and a placeholder example of how automations can be built for other certificate providers.