Tool for checking SSL certificate expiration dates

README.md

SSL certificate expiration checker

Useful for Icinga or other alert tool. Checks certificates from service, not file. This detects cases where certificate is renewed but not updated.

Public domain.

HTTPS

Checks if HTTPS (port 443) certificate is valid. Limits are: warning 14 days, critical 7 days. Returns the expiration time and return value is 0, 1, or 2 for OK, WARNING, and CRITICAL, respectively.

./ssl_get_expiration ssl localhost:443 '14 days' '7 days'

SMTP

The same as above, but for SMTP with STARTTLS and checking validity for a month warning level and 1 day for critical:

./ssl_get_expiration smtp localhost:smtp '1 month' '1 day'

ssl_get_expiration

#!/bin/sh -eu                                                                                                                               

if test $# -ne 4; then
    echo "Usage $0 ssl|smtp|pop3|imap|ftp|xmpp|xmpp-server|irc HOSTNAME:PORT REF_WARNING REF_CRITICAL"
    exit 1
fi

if test "$1" = ssl; then
    extra=''
else
    extra="-starttls $1"
fi

exp_raw=`echo | openssl s_client $extra -connect "$2" 2>/dev/null | openssl x509 -text -noout| sed -nre 's/\s*Not After\s*:\s*(.*)/\1/p'`
exp_date=`date -Iminutes -d "$exp_raw"`
warn_date=`date -Iminutes -d "$3"`
crit_date=`date -Iminutes -d "$4"`
echo $exp_date
test $crit_date '<' $exp_date || exit 2
test $warn_date '<' $exp_date || exit 1