[kevinconroy]

The SSL certificate expired Tuesday, May 8, 2012.

Pro tip: Set up monitoring alerts on your SSL certs to alert your sys admin when they are getting close.

For example, here's a Nagios SSL expiration alert: http://exchange.nagios.org/directory/Plugins/Network-Protoco...

[mike-cardwell]

I wrote an application a while ago which would connect to an SSL service and print out how many days until expiry. It works with network ranges and supports IPv6 also. It was designed with the aim of having something useful to stick in a cron job. So if you specify "--expires-within 14" for example, it will only output data for certificates that will expire within the next 14 days. For example:

  mike@alfa:~$ sslScanner.pl contracts.comcast.com news.ycombinator.com smtp.gmail.com:465
                               IP Address   Port  Days Left  Common Name
                             130.94.78.15    443       -172  contracts.comcast.com
                          174.132.225.106    443        934  news.ycombinator.com
                           173.194.78.108    465        222  smtp.gmail.com
                           173.194.78.109    465        222  smtp.gmail.com
              2a00:1450:400c:c00:0:0:0:6d    465        222  smtp.gmail.com
  mike@alfa:~$ 

You can get it from https://github.com/mikecardwell/sslScanner

[harshreality]

Respectable CAs (perhaps that's an oxymoron) will email the contact email address ahead of time warning about the expiration.

[sdfjkl]

Respectable CAs will email you a warning about a month before it expires.

Disreputable CAs will email you 3-4 months before it expires, emphasising that you need to "ACT NOW" (GoDaddy is guilty of this).

[Dobbs]

The standard https check has it built-in with the right flags. Use -h or --help to figure it out. (They provide different output)

[chriscareycode]

That would be

/usr/lib/nagios/plugins/check_http --ssl -C 30 -H contracts.comcast.com

CRITICAL - Certificate expired on 05/08/2012 23:59.

[eric_bullington]

You can also use openssl's built-in utility* to see that the certificate has expired:

  openssl s_client -showcerts -connect contracts.comcast.com:443

*You may also need to specify the path to your certificates using something like: -CApath /etc/ssl/certs/

To get the exact expiration date, it appears you have to do:

1) download cert:

  openssl s_client -connect hostname:port > cert.pem

2) verify date:

  openssl x509 -in cert.pem -noout -enddat

[Dobbs]

You rock sir. I was on my phone so I couldn't look it up when I wrote the op. Thanks.

[biturd]

And on top of that, any registrar I have ever used sends me email alerts to let me know they are about to expire. A lot like domain names.

It amazes me that these SSL errors stay this way so long. Even google has been guilty of this in the past.