SSL on Upsonar Bloghttps://upsonar.io/blog/categories/ssl/Recent content in SSL on Upsonar BlogHugoen-usThu, 19 Feb 2026 00:00:00 +0000Why Most SSL Certificate Monitors Are Blind (And How to Fix It)https://upsonar.io/blog/why-most-ssl-monitors-are-blind/Thu, 19 Feb 2026 00:00:00 +0000https://upsonar.io/blog/why-most-ssl-monitors-are-blind/<p>Google &ldquo;golang check ssl certificate&rdquo; and every example looks like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">conn</span><span class="p">,</span> <span class="nx">_</span> <span class="o">:=</span> <span class="nx">tls</span><span class="p">.</span><span class="nf">Dial</span><span class="p">(</span><span class="s">&#34;tcp&#34;</span><span class="p">,</span> <span class="s">&#34;example.com:443&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="o">&amp;</span><span class="nx">tls</span><span class="p">.</span><span class="nx">Config</span><span class="p">{</span><span class="nx">InsecureSkipVerify</span><span class="p">:</span> <span class="kc">true</span><span class="p">})</span> </span></span><span class="line"><span class="cl"><span class="nx">cert</span> <span class="o">:=</span> <span class="nx">conn</span><span class="p">.</span><span class="nf">ConnectionState</span><span class="p">().</span><span class="nx">PeerCertificates</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="nx">fmt</span><span class="p">.</span><span class="nf">Println</span><span class="p">(</span><span class="nx">cert</span><span class="p">.</span><span class="nx">NotAfter</span><span class="p">)</span> <span class="c1">// 2026-03-16</span> </span></span></code></pre></div><p>53 days left. Great. Ship it.</p> <p>But your monitor just became blind to 3 out of 4 certificate problems.</p> <h2 id="the-insecureskipverify-trap">The InsecureSkipVerify trap</h2> <p><code>InsecureSkipVerify: true</code> skips all certificate validation - expiry, trust chain, hostname match. The connection is still encrypted, but Go won&rsquo;t check if the cert is actually valid.</p> <p>Why do examples use it? Without it, Go refuses to connect if anything is wrong. You get an error instead of certificate details. For a quick script, that&rsquo;s inconvenient.</p>