# too-soon

alert on upcoming expirations.
like, certificates for my domain expire too soon.

Default is expiration within 20 days.

## inital functionality

Arguments passed to the tool are PEM encoded x509 files.
No output at all if all good.
If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.

## Install

```shell
go install git.batts.cloud/vbatts/too-soon@latest
```

## Usage

with the `pem` command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:

```shell
root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!) 
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC 
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com] 
certificates need to be renewed
root@infra1:~/lb# echo $?
1
```

By default, if there are no expired certificates, then nothing is printed to stdout.
Use the `--debug` flag to see the datetime of the certificates:

```shell
root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]

```

## Combo

Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:

```shell
too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com
```