Created
November 28, 2016 04:49
-
-
Save chris-erickson/1197823e9c6b010f2740c30db49acc9e to your computer and use it in GitHub Desktop.
Checks a domain for SSL cert validity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Original source: http://superuser.com/a/620188/561192 | |
# A few modifications to send an email and potentially account for running on linux | |
DEBUG=false | |
warning_days=29 # Number of days to warn about soon-to-expire certs | |
certs_to_check='google.com:443 | |
www.apple.com:443' | |
for CERT in $certs_to_check | |
do | |
$DEBUG && echo "Checking cert: [$CERT]" | |
output=$(echo | openssl s_client -connect ${CERT} 2>/dev/null |\ | |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\ | |
openssl x509 -noout -subject -dates 2>/dev/null) | |
if [ "$?" -ne 0 ]; then | |
$DEBUG && echo "Error connecting to host for cert [$CERT]" | |
logger -p local6.warn "Error connecting to host for cert [$CERT]" | |
continue | |
fi | |
start_date=$(echo $output | sed 's/.*notBefore=\(.*\).*not.*/\1/g') | |
end_date=$(echo $output | sed 's/.*notAfter=\(.*\)$/\1/g') | |
$DEBUG && echo "Start Date [$start_date], End Date: [$end_date]" | |
# OSX with gnu tools installed via homebrew | |
# brew install coreutils | |
# start_epoch=$(gdate +%s -d "$start_date") | |
# end_epoch=$(gdate +%s -d "$end_date") | |
# epoch_now=$(gdate +%s) | |
start_epoch=$(date +%s -d "$start_date") | |
end_epoch=$(date +%s -d "$end_date") | |
epoch_now=$(date +%s) | |
if [ "$start_epoch" -gt "$epoch_now" ]; then | |
$DEBUG && echo "Certificate for [$CERT] is not yet valid" | |
logger -p local6.warn "Certificate for $CERT is not yet valid" | |
fi | |
seconds_to_expire=$(($end_epoch - $epoch_now)) | |
days_to_expire=$(($seconds_to_expire / 86400)) | |
$DEBUG && echo "Days to expiry: ($days_to_expire)" | |
warning_seconds=$((86400 * $warning_days)) | |
if [ "$seconds_to_expire" -lt "$warning_seconds" ]; then | |
$DEBUG && echo "Cert [$CERT] is soon to expire ($seconds_to_expire seconds)" | |
logger -p local6.warn "cert [$CERT] is soon to expire ($seconds_to_expire seconds)" | |
# Linux | |
echo "Check that letsencrypt is running?" | mail -r "FROM@THESERVER.com" -s "SSL certs expiring in less than 30 days" "TO@THEADMIN.com" | |
fi | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment