Here is a little anecdote about bringing old source code using OpenSSL to recent versions…
A few years ago I already covered how to check the expiry date of a SSL certificate using OpenSSL. When the recent global outage of Windows Azure was caused by an expired SSL certificate, this got me thinking about this topic once again.
In my previous post, I presented a mechanism to check the remaining lifetime of an SSL certificate using the PEM certificate file locally on disk. However, in the case with Azure recently, customers were dependent on the actions by Microsoft and had no access to the actual file. Thus, there might be a need to check remote certificates of services you use, e.g. your off-site backup provider. As you want to ensure you can always use this service, why not check this for expiring certificates once in a while? Maybe it’s your notification to the sysadmins who saves yourself and all other customers from being locked out.
Here is the updated script
ssl-cert-check that now not only handles x509 certificate files, but also remote addresses for various forms and protocols. For simplicity, here are the usage instruction from inside this script:
Once again I missed the expiry date of one of the SSL certificates on my server. Therefore I am now using a cronjob to warn me early enough that a certificate is about to expire.
This is the script
/usr/local/bin/ssl-cert-check which checks the expiry date of the certificate files passed as arguments:
#!/bin/bash DAYS=30 for file in "$@"; do openssl x509 -checkend $(( 86400 * $DAYS )) -in "$file" > /dev/null if [ $? != 0 ]; then echo "==> Certificate $file is about to expire soon:" openssl x509 -enddate -in "$file" -noout fi done
And the corresponding cronjob entry checking SSL certificates once a day:
MAILTO=root 6 6 * * * nobody /usr/local/bin/ssl-cert-check /etc/apache2/ssl/*.crt /etc/ssl/certs/dovecot.pem