(letsencrypt.org)

181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0.336s | source

Show context

jgaa ◴[30 Jun 25 08:45 UTC] No.44420924[source]▶

>>44419496 (OP) #

When I received the first warning email about this, I wrote a simple library and cli to validate all my certs for me.

https://github.com/jgaa/openvalify

replies(2): >>44421021 #>>44421881 #

samlinnfer ◴[30 Jun 25 08:59 UTC] No.44421021[source]▶

>>44420924 #

I just have a cronjob that does:

    #!/usr/bin/env bash

    cert_check() {
        server=$1
        host=$2
        port=$3

        str=`ssh "$server" "echo | openssl s_client -servername $host -connect localhost:$port | openssl x509 -noout -checkend 604800"` || true
        if ! echo "$str" | grep -q 'Certificate will not expire' ; then
            echo "$str" | ./send-email.py "Certificate \"$host\" on $server will expire in 7 days" \
        fi
    }

    cert_check name myserver.com 443

replies(1): >>44421333 #

masklinn ◴[30 Jun 25 09:50 UTC] No.44421333[source]▶

>>44421021 #

If you’re automating the check why not automate the renewal directly?

replies(2): >>44421343 #>>44421453 #

1. jeroenhd ◴[30 Jun 25 10:09 UTC] No.44421453[source]▶

>>44421333 #

I've missed expired certificates because of a configuration issue that broke the certbot automation. Granted, I could've read the certbot journalctl output, but 99.9% of the time that's a waste of time. Not like there was anything mission-critical on there.

↑

LetsEncrypt – Expiration Notification Service Has Ended