Skip to main content

Tag: ssl

Automatic check for expiring SSL certificates

Patrick Leave a comment

A quick solution to periodically check your certificates for expiring and get a notification via mail before they expire. I have multiple PKI’s and found it really useful to have such a automatic service.

The tool ssl-cert-check, which is part of the Debian package repository, does a quite good job finding expiring certificates but unfortunately doesn’t support analyzing directories. Luckily the author of this tool implemented this feature in the latest version available on GitHub.

First we have to clone the repo to have the latest version available on our system.

cd /opt
git clone https://github.com/Matty9191/ssl-cert-check.git
ln -s /opt/ssl-cert-check/ssl-cert-check /usr/local/bin/

I created a small shell script which does the actually check and send a mail if a certificate will expire in <=60 Days. Gist also available here.

#!/usr/bin/env bash

SH=$(readlink -f "${0}")
SH_PATH=$(dirname "${SH}")

CERT_DIR="${SH_PATH}/certs/*"
EXP_DAYS=60

SENDER="certs@foo.bar.com"
SEND_TO="root@foo.bar.com"

ssl-cert-check -a -d "${CERT_DIR}/*.crt" -q -x ${EXP_DAYS} -E ${SENDER} -e ${SEND_TO}
exit $?

I placed the script within the ssl-cert-check folder. The script will check all certificates in the subfolder certs. Here is the folder structure:

drwxr-xr-x 2 root root 4.0K Feb 13 18:29 certs
-rwxr-xr-x 1 root root  280 Feb 13 18:42 check-certs
drwxr-xr-x 8 root root 4.0K Feb 13 18:16 .git
-rw-r--r-- 1 root root  15K Dec 17 12:56 LICENSE
-rw-r--r-- 1 root root 3.3K Dec 17 12:56 README.md
-rwxr-xr-x 1 root root  31K Feb 13 18:16 ssl-cert-check

To include certificates, we just need to create a symlink in the certs folder. I added links to my easy-rsa PKI’s to include them.

lrwxrwxrwx 1 root root 27 Feb 13 18:29 ipsec-pki -> /etc/ipsec.d/pki/db/issued/
lrwxrwxrwx 1 root root 27 Feb 13 18:27 openvpn-pki -> /etc/openvpn/pki/db/issued/
lrwxrwxrwx 1 root root 25 Feb 13 18:22 root-pki -> /var/certs/pki/db/issued/

For a periodically check, we finally need to add the script to the cron daemon. For a daily check:

ln -s /opt/ssl-cert-check/check-certs /etc/cron.daily/