16 comments

[ 3.1 ms ] story [ 44.1 ms ] thread
$ aws iam list-server-certificates

  [
  {
      "ServerCertificateMetadataList": [
          {
              "ServerCertificateId": "REDACTED", 
              "ServerCertificateName": "ALSO-REDACTED", 
              "Expiration": "2016-11-10T23:56:37Z", 
              "Path": "/", 
              "Arn": "MORE-REDACTION",
              "UploadDate": "2015-11-11T23:56:43Z"
          }, 
  ...
Why?
Why can't you just read any cert regardless of where it is hosted and send an alert when it is under a week? Why tie it to AWS?
No reason it can't check any hostname, but all my custom SSL certs are on CloudFront.
You're only cool if you're paying Amazon.
I run almost everything on AWS, but I don't see why this should be a checker at the AWS level when SSL certs are typically exposed for any reader. I would still run it in lambda, but I would check the cert over the public route.
"OK Google, set a reminder 1 year from now to...."

Nice write up. But a bit over kill for something that you can solve with a calendar item. ...Doesn't actually have to be on google though ;)

Sure, that's fine for an individual, but what about for a business? If the person who has an entry in his or her calendar leaves and forgets to remind someone else, what happens then?
We have a shared calendar in the business with all this stuff on and there's also a reminder that crops up in the order system (Mainly because monies are due to change hands again rather than the ssl is about to go pop)
I have at least a dozen projects, clients, side projects, personal domains, etc., each with a TLS cert. Plus at least 5 certs for work. All of them have different expirations. Some are on Let's Encrypt without auto renew at the moment, meaning they have varying expirations less than 90 days from now.

I would love just a simple iPhone app where I can list my domains and get push notices at 30 or 7 days from expiration. Maybe I should make this myself because I've yet to find one.

http://www.site24x7.com/ has a cert monitor that does exactly what you want and more. If you have 10 domains it will run you $10/month. (Although you probably also want an uptime checker, so really it's more like 5 domains on the $10/month plan.)
That's fairly easy to do in a cron job:

    TARGET="mysite.example.net"; \
    RECIPIENT="hostmaster@mysite.example.net"; \
    DAYS=7; \
    echo "checking if $TARGET expires in less than $DAYS days"; \
    expirationdate=$(date -d "$(: | openssl s_client -connect $TARGET:443 -servername $TARGET 2>/dev/null \
                                  | openssl x509 -text \
                                  | grep 'Not After' \
                                  |awk '{print $4,$5,$7}')" '+%s'); \
    in7days=$(($(date +%s) + (86400*$DAYS))); \
    if [ $in7days -gt $expirationdate ]; then \
        echo "KO - Certificate for $TARGET expires in less than $DAYS days, on $(date -d @$expirationdate '+%Y-%m-%d')" \
        | mail -s "Certificate expiration warning for $TARGET" $RECIPIENT ; \
    else \
        echo "OK - Certificate expires on $expirationdate"; \
    fi;
Thanks! When I saw the title, I new somebody on HN would come up with a few shell commands for this :-)
Nice implementation! I would like my team to get Slack notifications...
If you're already running Nagios for monitoring everything else, it's easy enough to add a service to monitor SSL certs.

  /usr/lib/nagios/plugins/check_http --ssl -C 14 -H '$HOSTADDRESS$' -I '$HOSTADDRESS$'