# too-soon

alert on upcoming expirations.
like, certificates for my domain expire too soon.

Default is expiration within 20 days.

## inital functionality

Arguments passed to the tool are PEM encoded x509 files.
No output at all if all good.
If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.

## Install

```shell
go install git.batts.cloud/vbatts/too-soon@latest
```

## Usage

with the `pem` command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:

```shell
root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!) 
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC 
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com] 
certificates need to be renewed
root@infra1:~/lb# echo $?
1
```

By default, if there are no expired certificates, then nothing is printed to stdout.
Use the `--debug` flag to see the datetime of the certificates:

```shell
root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]

```

Likewise, you can check the expiration of a remote host with the `remote` command:

```shell
vbatts@jungle:~$ too-soon -D remote example.com
DEBU[0000] server: example.com
DEBU[0000] version: 772
DEBU[0000]  -- cert serial: 498c7524e0cbd9f3fba887d6b7bba9dacac
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : [example.com]
DEBU[0000]  -- cert serial: 838f6c63ceb1398c6206628315c9fdde
DEBU[0000]  -- cert: skipping as there are no DNS names
DEBU[0000]  -- cert serial: 498c7524e0cbd9f3fba887d6b7bba9dacac
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "example.com:443"(498c7524e0cbd9f3fba887d6b7bba9dacac) : [example.com]
```

## Combo

Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:

```shell
too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com
```

## `systemd` units

Copy the `too-soon-remote@.service` and `too-soon-remote@.timer` to `/etc/systemd/system/` after making sure the path to the `too-soon` binary is correct (preset as `/usr/local/bin/too-soon`).
Then `systemct enable --now too-soon-remote@example.com.timer`.