Created
July 17, 2012 07:39
-
-
Save sawanoboly/3127836 to your computer and use it in GitHub Desktop.
Checking expiry period of cert by ruby.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # -*- coding:utf-8 -*- | |
| require 'socket' | |
| require 'openssl' | |
| require 'timeout' | |
| require 'pp' | |
| include OpenSSL | |
| timeout=15 | |
| r_host = ARGV[0] || "google.com" | |
| r_date = ARGV[1] || 30 | |
| r_port = ARGV[2] || 443 | |
| r_date_s = r_date.to_i * 60 * 60 * 24 | |
| # set SSL config | |
| ssl_conf = SSL::SSLContext.new() | |
| # ssl_conf.verify_mode=SSL::VERIFY_PEER | |
| # create ssl connection. | |
| begin | |
| timeout(timeout) { | |
| @soc = TCPSocket.new(r_host.to_s, r_port.to_i) | |
| @ssl = SSL::SSLSocket.new(@soc, ssl_conf) | |
| @ssl.connect | |
| } | |
| rescue Timeout::Error => e | |
| puts "CRITICAL - #{e.class} couldn't connext to #{r_host.to_s}:#{r_port.to_i}" | |
| exit 2 | |
| rescue => e | |
| puts "CRITICAL - #{e.class} #{e.message}" | |
| exit 2 | |
| end | |
| # check period. | |
| if (@ssl.peer_cert.not_after - Time.now) < r_date_s | |
| puts "CRITICAL - Certificate expired on #{@ssl.peer_cert.not_after}" | |
| exit 2 | |
| else | |
| puts "OK - Certificate will expire on #{@ssl.peer_cert.not_after}" | |
| end | |
| @ssl.close | |
| @soc.close |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Great, thanks for the script.
One thing, setting the SNI hostname makes it work for cases where one IP is backed by more than one domains/Certs.
Just do
@ssl.hostname = r_host.to_sright before@ssl.connect.