←back to thread

LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)
181 points zdw | 4 comments | 30 Jun 25 04:49 UTC | HN request time: 0s | source
Show context
jgaa ◴[30 Jun 25 08:45 UTC] No.44420924[source]
When I received the first warning email about this, I wrote a simple library and cli to validate all my certs for me.

https://github.com/jgaa/openvalify

replies(2): >>44421021 #>>44421881 #
1. samlinnfer ◴[30 Jun 25 08:59 UTC] No.44421021[source]
I just have a cronjob that does:

    #!/usr/bin/env bash

    cert_check() {
        server=$1
        host=$2
        port=$3

        str=`ssh "$server" "echo | openssl s_client -servername $host -connect localhost:$port | openssl x509 -noout -checkend 604800"` || true
        if ! echo "$str" | grep -q 'Certificate will not expire' ; then
            echo "$str" | ./send-email.py "Certificate \"$host\" on $server will expire in 7 days" \
        fi
    }

    cert_check name myserver.com 443
replies(1): >>44421333 #
2. masklinn ◴[30 Jun 25 09:50 UTC] No.44421333[source]
If you’re automating the check why not automate the renewal directly?
replies(2): >>44421343 #>>44421453 #
3. detaro ◴[30 Jun 25 09:52 UTC] No.44421343[source]
who says they don't have the renewal automated?
4. jeroenhd ◴[30 Jun 25 10:09 UTC] No.44421453[source]
I've missed expired certificates because of a configuration issue that broke the certbot automation. Granted, I could've read the certbot journalctl output, but 99.9% of the time that's a waste of time. Not like there was anything mission-critical on there.