vbatts/too-soon
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions
alert on upcoming expirations
8 commits 1 branch 0 tags 44 KiB
Go 100%
Find a file
Exact
Vincent Batts be72e38bfc
main: adding too-soon remote to check a remote hosts cert 
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
2025-02-17 17:16:29 -05:00
go.mod main: switch from 'flag' to 'github.com/urfave/cli' 2025-02-17 15:02:17 -05:00
LICENSE Initial commit 2025-02-15 17:17:26 +00:00
main.go main: adding too-soon remote to check a remote hosts cert 2025-02-17 17:16:29 -05:00
README.md main: adding too-soon remote to check a remote hosts cert 2025-02-17 17:16:29 -05:00

README.md

too-soon

alert on upcoming expirations. like, certificates for my domain expire too soon.

Default is expiration within 20 days.

inital functionality

Arguments passed to the tool are PEM encoded x509 files. No output at all if all good. If any of the PEM x509 files have DNS Names and the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.

Install

go install git.batts.cloud/vbatts/too-soon@latest

Usage

with the pem command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:

root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!) 
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC 
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com] 
certificates need to be renewed
root@infra1:~/lb# echo $?
1

By default, if there are no expired certificates, then nothing is printed to stdout. Use the --debug flag to see the datetime of the certificates:

root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]

Likewise, you can check the expiration of a remote host with the remote command:

vbatts@jungle:~$ too-soon -D remote example.com
DEBU[0000] server: example.com
DEBU[0000] version: 772
DEBU[0000]  -- cert serial: 498c7524e0cbd9f3fba887d6b7bba9dacac
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : [example.com]
DEBU[0000]  -- cert serial: 838f6c63ceb1398c6206628315c9fdde
DEBU[0000]  -- cert: skipping as there are no DNS names
DEBU[0000]  -- cert serial: 498c7524e0cbd9f3fba887d6b7bba9dacac
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : [example.com]

Combo

Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:

too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com