From 9b8dbd620c3df953b3a81875ae41db470c959974 Mon Sep 17 00:00:00 2001 From: Vincent Batts Date: Mon, 17 Feb 2025 15:29:10 -0500 Subject: [PATCH] README: install and usage Signed-off-by: Vincent Batts --- README.md | 37 +++++++++++++++++++++++++++++++++++++ main.go | 12 +++++++----- 2 files changed, 44 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index f7a24b5..d579ad1 100644 --- a/README.md +++ b/README.md @@ -11,3 +11,40 @@ Arguments passed to the tool are PEM encoded x509 files. No output at all if all good. If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code. +## Install + +```shell +go install git.batts.cloud/vbatts/too-soon@latest +``` + +## Usage + +with the `pem` command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired: + +```shell +root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem +WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!) +WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC +WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com] +certificates need to be renewed +root@infra1:~/lb# echo $? +1 +``` + +By default, if there are no expired certificates, then nothing is printed to stdout. +Use the `--debug` flag to see the datetime of the certificates: + +```shell +root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem +DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC +DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com] + +``` + +## Combo + +Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself: + +```shell +too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com +``` diff --git a/main.go b/main.go index 21b9058..656f530 100644 --- a/main.go +++ b/main.go @@ -72,8 +72,6 @@ func fPEMCheck(ctx context.Context, cmd *cli.Command) error { more := true for more { block, rest := pem.Decode(buf) - log.Debugf("%q : %s", file, block.Type) - cert, err := x509.ParseCertificate(block.Bytes) if err != nil { log.Errorf("%q cert could not be parsed: %s", file, err) @@ -97,9 +95,13 @@ func fPEMCheck(ctx context.Context, cmd *cli.Command) error { alertTime := cert.NotAfter.Add(hours * time.Hour) today := time.Now() if today.After(alertTime) { - log.Warnf("%q : TIME TO RENEW CERTIFICATE (expires in less than %d days)", file, cmd.Int("days")) - log.Infof("%q : %v", file, cert.NotAfter) - log.Infof("%q : %v", file, cert.DNSNames) + if today.After(cert.NotAfter) { + log.Warnf("%q : TIME TO RENEW CERTIFICATE (already expired!)", file) + } else { + log.Warnf("%q : TIME TO RENEW CERTIFICATE (expires in less than %d days)", file, cmd.Int("days")) + } + log.Warnf("%q : %v", file, cert.NotAfter) + log.Warnf("%q : %v", file, cert.DNSNames) retCode++ } else { log.Debugf("%q : %v", file, cert.NotAfter)