ssl-cert-check
Check expiry dates of local and remote SSL certificates
BSD-2-CLAUSE License
ssl-cert-check
Usage:
./ssl-cert-check <days> <certspec1,certspec2,...>./ssl-cert-check <days> --list=<FILE>./ssl-cert-check <days> --glob=<FILE>
This tool will warn you if any of the specified certificates expires in the next <days> days. If the --list mode is used, the file is expected to contain one certspec per line. Similarly, --glob mode expects one certspec per line in the given file, but each line will be evaluated as a wildcard glob pattern. In both cases, lines starting with the character '#' as well as empty lines will be ignored.
Parameters
The first parameter is the number of days to warn in advance for expiring certificates. All following parameters are treated as certificate specifications and can be in one of the following formats:
-
An absolute path to a x509 PEM certificate file For example:
- /etc/apache2/ssl/example.org.pem
-
A file://<path> URI For example:
- file:///etc/apache2/ssl/example.org.pem
-
A ssl://<host>:<port> URI For example: * ssl://example.org:443
-
A <proto>://<host>[:<port>] URI, this is the same as ssl://<host>:<proto>. The real port number is usually looked up in /etc/services, note that you often need the one with the 's' suffix, like "https", "imaps", etc. For example:
- https://example.org
- imaps://example.org (same as ssl://example.org:993)
-
A <proto>+starttls://<host>[:<port>] URI Use the STARTTLS command to start a in-protocol TLS session after opening an unencrypted connection. The openssl s_client needs to support this protocol. At time of this writing, the supported protocols are "smtp", "pop3", "imap", "ftp" and "xmpp". For example:
- imap+starttls://example.org
- smtp+starttls://example.org:587
Examples
Example for your crontab:
MAILTO=root
6 6 * * * nobody /usr/local/bin/ssl-cert-check 30 /etc/apache2/ssl/*.crt /etc/ssl/certs/dovecot.pem https://localhost ssl://localhost:465 smtp+starttls://localhost:587