Monitoring Certificate Expiration

Once you get Let’s Encrypt certificate setup, there are two more things needed. First one is setting up renewal as our certificates don’t last more than 90 days. The second one is often overlooked – actually monitoring how long before certificate expires. If anything prevents your certificate renewing, you definitely want to know it.

My approach to this problem is introducing an extra step in my daily e-mail report (I will assume here you have one setup already). This bash code will connect to a server, enumerate all certificates within /etc/letsencrypt/ directory, extract their name, and give an extra warning if certificate is expiring in less than 15 days.

Without the further ado, here is the code excerpt:

Terminal
NOW=`date +%s`

PEMS=`ssh myuser@myserver.example.com find /etc/letsencrypt/ -name "cert.pem" -print`
for PEM in $PEMS
do
NAME=`echo $PEM | rev | cut -d'/' -f2 | rev`
EXPIRY_RAW=`ssh myuser@myserver.example.com openssl x509 -enddate -noout -in "$PEM" | cut -d= -f 2`
EXPIRY=`date -jf "%b %d %T %Y %Z" "$EXPIRY_RAW" "+%s"`
REMAINING=$(( EXPIRY - NOW ))
REMAINING_DAYS=$(( REMAINING / 86400 ))

if (( REMAINING_DAYS >= 15 ))
then
echo "• $NAME expires in $REMAINING_DAYS days"
else
if (( REMAINING_DAYS < 0 ))
then
echo "‼ $NAME expiry cannot be determined"
else
echo "‼ $NAME expires in $REMAINING_DAYS days"
fi
fi
done

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.