In Redhat there is a script called certwatch that warns when apache certificates about to expire. Is there anything similar for Ubuntu? Thanks.
3 Answers
It seems certwatch has also been split from RHEL, and is also available as a stand-alone script.
In addition, there is a script called ssl-cert-check that also can check expiry of certificates.
Usage:
$ ssl-cert-check -s {SERVER_NAME} -p {PORT}The script is described here.
Finally, you can also use openssl directly to get the expiry date and time:
$ echo | openssl s_client -servername {SERVER_NAME} -connect {SERVER_NAME}:{PORT} | openssl x509 -noout -dates(although Artur's answer probably helps us not recreate the wheel)
openssl has a "check date" flags... easily usable in a cron job (or script)
On local certs: (I have a cert with the filename pulled192.168.13.5.pem)
openssl x509 -in pulled192.168.13.5.pem -noout -enddate - outputs expiration
notAfter=Jul 23 17:56:34 2025 GMT
The -checkend flag accepts your date (think number of days) input in seconds.openssl x509 -in pulled192.168.13.5.pem -noout -checkend 9999 - outputs whether expiring or not within your input timeframe(in seconds)
Certificate will not expire
openssl x509 -in pulled192.168.13.5.pem -noout -enddate -checkend 9999 - combine both flags
notAfter=Jul 23 17:56:34 2025 GMT
Certificate will not expire
openssl x509 -in pulled192.168.13.5.pem -noout -enddate -checkend 99999999999
notAfter=Jul 23 17:56:34 2025 GMT
Certificate will expire
Or pulled remotely:
openssl s_client -connect 192.168.13.3:443 </dev/null 2>/dev/null | openssl x509 -noout -enddate -checkend 9999
notAfter=Mar 20 18:54:38 2023 GMT
Certificate will not expire
openssl s_client -connect 192.168.13.3:443 </dev/null 2>/dev/null | openssl x509 -noout -enddate -checkend 99999999999
notAfter=Mar 20 18:54:38 2023 GMT
Certificate will expire
To answer the question: (to "script" it....)
On command line this works: (I have another local cert that expires in less than 10 days)
openssl x509 -in signed.domain.pem -checkend 864000 -noout || notify-send "Cert will expire soon" - will send display a custom notification with notify-send if cert is expiring under 10 days (864000 seconds)
To, additionally, display the number of days we are testing for, in the notification.
Here we would change the secs value instead of directly changing the -checkend value, when we want to increase/decrease testing the days until cert expiration.secs=864000; let days=$secs/60/60/24; openssl x509 -in signed.domain.pem -checkend $secs -noout || notify-send "Cert will expire soon (less than $days days)"
I grew tired of typing openssl commands, so I now use (and maintain) the wrapper scripts named https-* listed here.
2
