50 lines
1.7 KiB
Markdown
50 lines
1.7 KiB
Markdown
# too-soon
|
|
|
|
alert on upcoming expirations.
|
|
like, certificates for my domain expire too soon.
|
|
|
|
Default is expiration within 20 days.
|
|
|
|
## inital functionality
|
|
|
|
Arguments passed to the tool are PEM encoded x509 files.
|
|
No output at all if all good.
|
|
If any of the PEM x509 files have DNS Names _and_ the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.
|
|
|
|
## Install
|
|
|
|
```shell
|
|
go install git.batts.cloud/vbatts/too-soon@latest
|
|
```
|
|
|
|
## Usage
|
|
|
|
with the `pem` command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:
|
|
|
|
```shell
|
|
root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
|
|
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!)
|
|
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC
|
|
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com]
|
|
certificates need to be renewed
|
|
root@infra1:~/lb# echo $?
|
|
1
|
|
```
|
|
|
|
By default, if there are no expired certificates, then nothing is printed to stdout.
|
|
Use the `--debug` flag to see the datetime of the certificates:
|
|
|
|
```shell
|
|
root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
|
|
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
|
|
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]
|
|
|
|
```
|
|
|
|
## Combo
|
|
|
|
Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:
|
|
|
|
```shell
|
|
too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com
|
|
```
|