NTS certificate monitoring

cincura.net · November 19, 2025, 9:17am

I wanted to monitor certificate expiration on my NTS server on Uptime Kuma, so I wrote a simple HTTP tool for that.

More info here.

ebahapo · November 19, 2025, 8:36pm

Then again, there’s always https://iam.redsift.cloud.

apuls · November 19, 2025, 9:28pm

Which only shows a blank page… https://redsift.com

And maybe he and some others uses their own monitorig…

magnemann · November 20, 2025, 6:55am

Does it work with a custom NTS port?

cincura.net · November 20, 2025, 7:13am

Not at the moment. The port 4460 is “hardcoded”. I can add parameter for that…

On the other hand with custom port only people/machines that know that port can use your server. Rest is always going to assume and use 4460. What is your scenario?

magnemann · November 20, 2025, 8:10am

I have two nts servers. One ordinary and one for testing nts pool. Behind NAT. So one them has to have a non-std nts port. Great work btw

cincura.net · November 20, 2025, 11:37am

Added port as an optional parameter.

magnemann · November 20, 2025, 1:57pm

It simply works, thanks I also use uptime kuma, can I ask you you set it up?

marco.davids · November 20, 2025, 8:37pm

I’m not a REST expert, but could the expiration status (ok / not ok) also be included in the JSON output, not just in the HTTP status code?

cincura.net · November 21, 2025, 7:33am

@magnemann This is my setting:

@marco.davids I was thinking about it, but I haven’t found a good reason to have it there. Seemed like a duplication of what status code is already providing. But I don’t have a strong opinion. If you tell me what are you trying to do, I can surely add that.

marco.davids · November 21, 2025, 8:37am

Two things: A quick check through my browser now shows no difference between &days=5 an &days=500, meaning I have to very closely look at the notAfter in the output (which made me wonder; what about another field: ‘cert still valid for’ ?). But also; scripting with curl and jq might just be a little easier with some additional information in the JSON output?

But honestly… I have my own tools like ntsmon2 and tlscheck2, so it was just a suggestion to you. My own tools are pretty simple but they do the job. For instance, here’s the output of tlscheck2:

./tlscheck2 -json -hostname nts1.time.nl -port 4460
{
  "expiry_date": "2026-01-18T08:00:29Z",
  "hostname": "nts1.time.nl",
  "is_near_expiry": false,
  "port": "4460",
  "valid_days": 57
}

or

./tlscheck2 -json -hostname nts1.time.nl -port 4460 -days 500; echo $?
{
  "expiry_date": "2026-01-18T08:00:29Z",
  "hostname": "nts1.time.nl",
  "is_near_expiry": true,
  "port": "4460",
  "valid_days": 57
}
Warning: The certificate is close to expiring!
1

cincura.net · November 21, 2025, 9:01am

Browser, unless you open DevTools, is not going to show you meaningful difference, because it doesn’t know what to do with HTTP 412. But i.e. curl will:

$ curl -v 'https://mon-tools.cincura.net/nts-cert?host=ntppool1.time.nl&days=5'
* Host mon-tools.cincura.net:443 was resolved.
* IPv6: 2001:67c:d74:66:be24:11ff:fe56:9cfc
* IPv4: 85.163.168.227
*   Trying [2001:67c:d74:66:be24:11ff:fe56:9cfc]:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to mon-tools.cincura.net (2001:67c:d74:66:be24:11ff:fe56:9cfc) port 443
* using HTTP/1.x
> GET /nts-cert?host=ntppool1.time.nl&days=5 HTTP/1.1
> Host: mon-tools.cincura.net
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Alt-Svc: h3=":443"; ma=2592000
< Content-Type: application/json; charset=utf-8
< Date: Fri, 21 Nov 2025 08:50:50 GMT
< Transfer-Encoding: chunked
<
{"subject":"CN=ntppool1.time.nl","issuer":"CN=E8, O=Let's Encrypt, C=US","notBefore":"2025-09-25T13:16:19+00:00","notAfter":"2025-12-24T13:16:18+00:00","thumbprint":"A546675A949B23BF8B8F5C8C3F1B00A026DFDEDC"}* Connection #0 to host mon-tools.cincura.net left intact

~
$ curl -v 'https://mon-tools.cincura.net/nts-cert?host=ntppool1.time.nl&days=500'
* Host mon-tools.cincura.net:443 was resolved.
* IPv6: 2001:67c:d74:66:be24:11ff:fe56:9cfc
* IPv4: 85.163.168.227
*   Trying [2001:67c:d74:66:be24:11ff:fe56:9cfc]:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Connected to mon-tools.cincura.net (2001:67c:d74:66:be24:11ff:fe56:9cfc) port 443
* using HTTP/1.x
> GET /nts-cert?host=ntppool1.time.nl&days=500 HTTP/1.1
> Host: mon-tools.cincura.net
> User-Agent: curl/8.13.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 412 Precondition Failed
< Alt-Svc: h3=":443"; ma=2592000
< Content-Type: application/json; charset=utf-8
< Date: Fri, 21 Nov 2025 08:50:55 GMT
< Transfer-Encoding: chunked
<
{"subject":"CN=ntppool1.time.nl","issuer":"CN=E8, O=Let's Encrypt, C=US","notBefore":"2025-09-25T13:16:19+00:00","notAfter":"2025-12-24T13:16:18+00:00","thumbprint":"A546675A949B23BF8B8F5C8C3F1B00A026DFDEDC"}* Connection #0 to host mon-tools.cincura.net left intact

On the other hand, why not. Added expiresInDays.

magnemann · November 21, 2025, 5:12pm

About the uptime kuma screenshot.
It seems your setting checks the cert for https://mon-tools.cincura.net and not for the NTS host. (?)

cincura.net · November 21, 2025, 5:39pm

Nope. It checks cert of NTS server, via status code.

Topic		Replies	Views
Here is live data from my NTP-NTS server Server operators	60	403	November 13, 2025
Cert expired for https://validate6.ntppool.dev Server operators	1	416	December 15, 2023
NTS Support in the pools Server operators	12	3150	December 22, 2023
Assign Domain Name for NTS working	24	389	November 17, 2024
NTS Pool experiments	18	281	November 28, 2025

NTS certificate monitoring

Related topics