[Macha]

I have a super hacky job for this personally on my personal infrastructure after acme.sh failed to renew too many times, which runs a bash script in a cron job to use openssl s_client, greps for the nonAfter field, passes it through python to parse the date into remaining days, then sends a message to my gotify setup.

I'll probably rewrite it as a single rust binary one of these days.

[justin_oaks]

Sounds similar to my setup. I have a bash script which takes a list of TCP addresses (host:port ), contacts each one using openssl s_client, and uses the notAfter field to calculate how many days until expiration. I use the date command to parse the date that's returned from openssl and convert it to seconds.

The core of script is this snippet of bash, where $target is of the format host:port.

    cert_exp_date=$(echo | openssl s_client -connect "$target" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f 2 | head -c 20 )
    if [ -n "${cert_exp_date}" ]; then
      cert_exp_date_seconds="$(date --date="${cert_exp_date}" +%s)"
      now_seconds="$(date +%s)"
      exp_days="$(( ( cert_exp_date_seconds - now_seconds ) / 86400 ))"
      echo "certificate_expiration_days,name=${name},target=${target} days=${exp_days}"

The script is executed as a Telegraf exec input so that the data can be fed into my general monitoring setup (InfluxDB and Grafana). I have a Grafana alert for each host.

[antongribok]

If you're already using Python, there is a very good module for this:

https://pypi.org/project/sslyze/

Can use it from the command line too:

  python -m sslyze news.ycombinator.com

[throw0101a]

Why re-invent the wheel when there are already well-tested things out there?

* https://github.com/matteocorti/check_ssl_cert

* https://www.monitoring-plugins.org/doc/man/check_http.html

* https://exchange.nagios.org/directory/Plugins/Network-Protoc...

[Macha]

Why not? It's for my home lab to play around and gives me a chance to mess around with some lower level TLS stuff.

(Also acme.sh has soured me a bit on multi-thousand line shell scripts)

[throw0101a]

I've been fairly satisfied with dehydrated.io.

[bluedino]

I hand-rolled some scripts a while back to do this, and example.com/feature was on a different machine than feature.com...still had some downtime when it wasn't replaced along with the rest.