Once you get Let’s Encrypt certificate setup, there are two more things needed. First one is setting up renewal as our certificates don’t last more than 90 days. The second one is often overlooked – actually monitoring how long before certificate expires. If anything prevents your certificate renewing, you definitely want to know it.
My approach to this problem is introducing an extra step in my daily e-mail report (I will assume here you have one setup already). This bash code will connect to a server, enumerate all certificates within
/etc/letsencrypt/ directory, extract their name, and give an extra warning if certificate is expiring in less than 15 days.
Without the further ado, here is the code excerpt:
PEMS=`ssh email@example.com find /etc/letsencrypt/ -name "cert.pem" -print`
for PEM in $PEMS
NAME=`echo $PEM | rev | cut -d'/' -f2 | rev`
EXPIRY_RAW=`ssh firstname.lastname@example.org openssl x509 -enddate -noout -in "$PEM" | cut -d= -f 2`
EXPIRY=`date -jf "%b %d %T %Y %Z" "$EXPIRY_RAW" "+%s"`
REMAINING=$(( EXPIRY - NOW ))
REMAINING_DAYS=$(( REMAINING / 86400 ))
if (( REMAINING_DAYS >= 15 ))
echo "• $NAME expires in $REMAINING_DAYS days"
if (( REMAINING_DAYS < 0 ))
echo "‼ $NAME expiry cannot be determined"
echo "‼ $NAME expires in $REMAINING_DAYS days"