←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 6 comments | 30 Jun 25 04:49 UTC | HN request time: 0.964s | source | bottom
1. jgaa ◴[30 Jun 25 08:45 UTC] No.44420924[source]
When I received the first warning email about this, I wrote a simple library and cli to validate all my certs for me.

https://github.com/jgaa/openvalify

replies(2): >>44421021 #>>44421881 #
2. samlinnfer ◴[30 Jun 25 08:59 UTC] No.44421021[source]
I just have a cronjob that does:

    #!/usr/bin/env bash

    cert_check() {
        server=$1
        host=$2
        port=$3

        str=`ssh "$server" "echo | openssl s_client -servername $host -connect localhost:$port | openssl x509 -noout -checkend 604800"` || true
        if ! echo "$str" | grep -q 'Certificate will not expire' ; then
            echo "$str" | ./send-email.py "Certificate \"$host\" on $server will expire in 7 days" \
        fi
    }

    cert_check name myserver.com 443
replies(1): >>44421333 #
3. masklinn ◴[30 Jun 25 09:50 UTC] No.44421333[source]
If you’re automating the check why not automate the renewal directly?
replies(2): >>44421343 #>>44421453 #
4. detaro ◴[30 Jun 25 09:52 UTC] No.44421343{3}[source]
who says they don't have the renewal automated?
5. jeroenhd ◴[30 Jun 25 10:09 UTC] No.44421453{3}[source]
I've missed expired certificates because of a configuration issue that broke the certbot automation. Granted, I could've read the certbot journalctl output, but 99.9% of the time that's a waste of time. Not like there was anything mission-critical on there.
6. throw0101b ◴[30 Jun 25 11:19 UTC] No.44421881[source]
> https://github.com/jgaa/openvalify

I don't begrudge people writing a tool to learn, but it should be noted that this wheel has already been invented:

* https://github.com/matteocorti/check_ssl_cert

* https://exchange.nagios.org/directory/Plugins/Security/check...

* https://github.com/narbehaj/ssl-checker

* https://github.com/Matty9191/ssl-cert-check