Join Nostr
2025-02-16 14:02:09 UTC

Kevin P. Fleming on Nostr: For those who want a local (non-cloud) tool for checking TLS certificate expiration ...

For those who want a local (non-cloud) tool for checking TLS certificate expiration as a result of Let's Encrypt dropping support for expiration notices via email, here's a small shell script which will do it. It needs the OpenSSL command-line tool and an email sender (I use msmtp):

#!/bin/bash

MINIMUM_EXPIRY_DAYS={{ minimum_expiry_days }}
MINIMUM_EXPIRY=$((${MINIMUM_EXPIRY_DAYS} * 86400))

for cert in /etc/letsencrypt/live/*/cert.pem
do
echo Checking ${cert}
if openssl x509 -noout -in ${cert} -checkend ${MINIMUM_EXPIRY} > /dev/null
then
:
else
msmtp --read-envelope-from --read-recipients <<EOF
From: (sender address here)
To: (recipient address here)
Subject: Certificate Expiration Alert

${cert} will expire in fewer than ${MINIMUM_EXPIRY_DAYS} days.
EOF
fi
done

CC

#LetsEncrypt