A quick solution to periodically check your certificates for expiring and get a notification via mail before they expire. I have multiple PKI’s and found it really useful to have such a automatic service.
The tool ssl-cert-check, which is part of the Debian package repository, does a quite good job finding expiring certificates but unfortunately doesn’t support analyzing directories. Luckily the author of this tool implemented this feature in the latest version available on GitHub.
First we have to clone the repo to have the latest version available on our system.
cd /opt git clone https://github.com/Matty9191/ssl-cert-check.git ln -s /opt/ssl-cert-check/ssl-cert-check /usr/local/bin/
I created a small shell script which does the actually check and send a mail if a certificate will expire in <=60 Days. Gist also available here.
#!/usr/bin/env bash SH=$(readlink -f "${0}") SH_PATH=$(dirname "${SH}") CERT_DIR="${SH_PATH}/certs/*" EXP_DAYS=60 SENDER="certs@foo.bar.com" SEND_TO="root@foo.bar.com" ssl-cert-check -a -d "${CERT_DIR}/*.crt" -q -x ${EXP_DAYS} -E ${SENDER} -e ${SEND_TO} exit $?
I placed the script within the ssl-cert-check folder. The script will check all certificates in the subfolder certs. Here is the folder structure:
drwxr-xr-x 2 root root 4.0K Feb 13 18:29 certs -rwxr-xr-x 1 root root 280 Feb 13 18:42 check-certs drwxr-xr-x 8 root root 4.0K Feb 13 18:16 .git -rw-r--r-- 1 root root 15K Dec 17 12:56 LICENSE -rw-r--r-- 1 root root 3.3K Dec 17 12:56 README.md -rwxr-xr-x 1 root root 31K Feb 13 18:16 ssl-cert-check
To include certificates, we just need to create a symlink in the certs folder. I added links to my easy-rsa PKI’s to include them.
lrwxrwxrwx 1 root root 27 Feb 13 18:29 ipsec-pki -> /etc/ipsec.d/pki/db/issued/ lrwxrwxrwx 1 root root 27 Feb 13 18:27 openvpn-pki -> /etc/openvpn/pki/db/issued/ lrwxrwxrwx 1 root root 25 Feb 13 18:22 root-pki -> /var/certs/pki/db/issued/
For a periodically check, we finally need to add the script to the cron daemon. For a daily check:
ln -s /opt/ssl-cert-check/check-certs /etc/cron.daily/