|
|
||
|---|---|---|
| go.mod | ||
| LICENSE | ||
| main.go | ||
| README.md | ||
too-soon
alert on upcoming expirations. like, certificates for my domain expire too soon.
Default is expiration within 20 days.
inital functionality
Arguments passed to the tool are PEM encoded x509 files. No output at all if all good. If any of the PEM x509 files have DNS Names and the notAfter date is within 20day from today, then output text alert to stdout and return non-zero exit code.
Install
go install git.batts.cloud/vbatts/too-soon@latest
Usage
with the pem command you run against PEM files local to the command and return code is the number of certificates that are within the range of being expired, or are already expired:
root@infra1:~/lb# too-soon pem letsencrypt/live/example.com-0002/fullchain.pem
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : TIME TO RENEW CERTIFICATE (already expired!)
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : 2022-02-01 09:51:49 +0000 UTC
WARN[0000] "letsencrypt/live/example.com-0002/fullchain.pem" : [example.com]
certificates need to be renewed
root@infra1:~/lb# echo $?
1
By default, if there are no expired certificates, then nothing is printed to stdout.
Use the --debug flag to see the datetime of the certificates:
root@infra1:~/lb# too-soon -D pem letsencrypt/live/example.com-0007/fullchain.pem
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : 2025-04-06 18:47:55 +0000 UTC
DEBU[0000] "letsencrypt/live/example.com-0007/fullchain.pem" : [example.com]
Combo
Whether you use a cronjob or a systemd timer, you can chain this command to a daily/weekly job to check an email yourself:
too-soon pem "fullchain.pem" || mail -s "$(shell hostname): certificates expire soon" webmaster@example.com