CI test for SSL certificate expiration

test_certs.rb

#!/usr/bin/env ruby
#
# Checks each server's certificate, and fails (exit 1) if it is etiher
# unreachable, or the certificate expires within 7 days.

require 'time'

min_days_left = 7
servers = [
  "one.example.com",
  "two.example.com",
]

$errors = []

puts "SSL certificate expiration check:"

servers.each { |server|
  cmd = "echo | openssl s_client -servername #{ server } -connect #{ server }:443 2>/dev/null | openssl x509 -noout -dates"
  result = `#{ cmd }`
  if (result.match(/notBefore=(.*)/)) then
    notBefore = Time.parse($1)
    if (Time.now.to_i < notBefore.to_i) then
      $errors.push("SSL ERROR: #{ server } cert is not yet valid!")
    end
  end
  if (result.match(/notAfter=(.*)/)) then
    notAfter = Time.parse($1)
    puts " - #{ server } - #{ notAfter.to_s }"
    if (Time.now.to_i > notAfter.to_i) then
      $errors.push("SSL ERROR: #{ server } cert is EXPIRED !!!")
    elsif (Time.now.to_i > notAfter.to_i - min_days_left*24*3600) then
      $errors.push("SSL WARNING: #{ server } cert is expiring in less than #{ min_days_left } days: #{ notAfter.to_s } !!!")
    end
  else
    $errors.push("SSL ERROR: #{ server } no response or unknown failure")
  end
}

if ($errors.length>0) then
  puts ""
  puts " = = = = SSL ERRORS = = = = = = = = = = = = = = = = = ="
  puts $errors.join("\n")
  puts " = = = = = = = = = = = = = = = = = = = = = = = = = = ="
  exit 1
else
  exit 0
end