vbatts/too-soon
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

README: install and usage

Browse source 
Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>
This commit is contained in:
Vincent Batts 2025-02-17 15:29:10 -05:00
parent 428c8b35b2
commit 9b8dbd620c
Signed by: vbatts
GPG key ID: E30EFAA812C6E5ED
2 changed files with 44 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -11,3 +11,40 @@ Arguments passed to the tool are PEM encoded x509 files.
No output at all if all good. No output at all if all good.
If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code. If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.
## Install
```shell
go install git.batts.cloud/vbatts/too-soon@latest
```
## Usage
with the `pem` command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:
```shell
root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!)
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com]
certificates need to be renewed
root@infra1:~/lb# echo $?
1
```
By default, if there are no expired certificates, then nothing is printed to stdout.
Use the `--debug` flag to see the datetime of the certificates:
```shell
root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]
```
## Combo
Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:
```shell
too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com
```

12
main.go
View file

@ -72,8 +72,6 @@ func fPEMCheck(ctx context.Context, cmd *cli.Command) error {
more := true more := true
for more { for more {
block, rest := pem.Decode(buf) block, rest := pem.Decode(buf)
log.Debugf("%q : %s", file, block.Type)
cert, err := x509.ParseCertificate(block.Bytes) cert, err := x509.ParseCertificate(block.Bytes)
if err != nil { if err != nil {
log.Errorf("%q cert could not be parsed: %s", file, err) log.Errorf("%q cert could not be parsed: %s", file, err)
@ -97,9 +95,13 @@ func fPEMCheck(ctx context.Context, cmd *cli.Command) error {
alertTime := cert.NotAfter.Add(hours * time.Hour) alertTime := cert.NotAfter.Add(hours * time.Hour)
today := time.Now() today := time.Now()
if today.After(alertTime) { if today.After(alertTime) {
log.Warnf("%q : TIME TO RENEW CERTIFICATE (expires in less than %d days)", file, cmd.Int("days")) if today.After(cert.NotAfter) {
log.Infof("%q : %v", file, cert.NotAfter) log.Warnf("%q : TIME TO RENEW CERTIFICATE (already expired!)", file)
log.Infof("%q : %v", file, cert.DNSNames) } else {
log.Warnf("%q : TIME TO RENEW CERTIFICATE (expires in less than %d days)", file, cmd.Int("days"))
}
log.Warnf("%q : %v", file, cert.NotAfter)
log.Warnf("%q : %v", file, cert.DNSNames)
retCode++ retCode++
} else { } else {
log.Debugf("%q : %v", file, cert.NotAfter) log.Debugf("%q : %v", file, cert.NotAfter)