Apr 292018
 

Once you get Let’s Encrypt certificate setup, there are two more things needed. First one is setting up renewal as our certificates don’t last more than 90 days. The second one is often overlooked – actually monitoring how long before certificate expires. If anything prevents your certificate renewing, you definitely want to know it.

My approach to this problem is introducing an extra step in my daily e-mail report (I will assume here you have one setup already). This bash code will connect to a server, enumerate all certificates within /etc/letsencrypt/ directory, extract their name, and give an extra warning if certificate is expiring in less than 15 days.

Without the further ado, here is the code excerpt:

NOW=`date +%s`

PEMS=`ssh myuser@myserver.example.com find /etc/letsencrypt/ -name "cert.pem" -print`
for PEM in $PEMS
do
  NAME=`echo $PEM | rev | cut -d'/' -f2 | rev`
  EXPIRY_RAW=`ssh myuser@myserver.example.com openssl x509 -enddate -noout -in "$PEM" | cut -d= -f 2`
  EXPIRY=`date -jf "%b %d %T %Y %Z" "$EXPIRY_RAW" "+%s"`
  REMAINING=$(( EXPIRY - NOW ))
  REMAINING_DAYS=$(( REMAINING / 86400 ))

  if (( REMAINING_DAYS >= 15 ))
  then
    echo "• $NAME expires in $REMAINING_DAYS days"
  else
    if (( REMAINING_DAYS < 0 ))
    then
      echo "‼ $NAME expiry cannot be determined"
    else
      echo "‼ $NAME expires in $REMAINING_DAYS days"
    fi
  fi
done

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>