Utility script to help check a list of domains in Route53 to determine if they use HTTPs and if their certificate will expire in less than 30 days

ssl_checker.py

#! /usr/bin/env python
                                                                                 
import datetime                                                        
import socket                 
import ssl                                         

import boto3

r53 = boto3.client('route53')


AGE_THRESHOLD_WARNING = 30 #days


def get_domains():
    resp = r53.list_resource_record_sets(HostedZoneId='XXXXX')

    domains = []

    for r in resp['ResourceRecordSets']:
        domains.append(r['Name'][0:-1])

    return domains

def get_cert_expiration(domain):
    context = ssl.create_default_context()
    conn = context.wrap_socket(
        socket.socket(socket.AF_INET),
        server_hostname=domain
    )

    # import pudb; pudb.set_trace()
    conn.settimeout(3.0)

    try:
        conn.connect((domain, 443))
        ssl_info = conn.getpeercert()

        return datetime.datetime.strptime(ssl_info['notAfter'], r'%b %d %H:%M:%S %Y %Z')
    except:
        return None


if __name__ == '__main__':
    domains = get_domains()
    for d in domains:
        expiration = get_cert_expiration(d)
        if expiration == None:
            continue
            #print 'No SSL on {}'.format(d)
        elif (expiration - datetime.datetime.now()).days < AGE_THRESHOLD_WARNING:
            print 'Expiration: {} for domain: {}'.format(expiration, d)