Automatic Check of Expiration Date of Certificates

Certificate expiration

After Heartbleed and generating lots of different new certificates I searched for a tool that sends me an alert when a certificate is about to expire. Basically I need an automatic check of expiration date of certificates. My requirements were

  • daily checks;
  • notification by email;
  • check for certificates on internal and external network;
  • check for certificates on non-web service (imap, pop, …).

There are a couple of tools that cover part of my requirements but not one tool that did everything that I needed. So I made it myself.

Check Expiration Date of SSL certificates

ceds.py is a python script that reads a file as input (ceds.checks) and does a SSL check on every host listed in the file. The script has a couple of inline configuration parameters.

servers_to_check = "ceds.checks"
alert_days = 5
mail_rcpt = "<>"
mail_from = "<>"
mail_server = "localhost"
  • servers_to_check : the file with the hosts to check;
  • alert_days : how days before expiration to send an alert;
  • mail_rcpt : sender of the alert;
  • mail_from : receiver of the alert;
  • mail_server server to use to send the alert.

GithubLogo
The script is available on Github, download the raw version at https://raw.githubusercontent.com/cudeso/tools/master/ceds.py.

Cron

Ideally you run this script from cron.

30 12   * * *   user	/home/user/tools/ceds.py  > /dev/null 2>&1

9 thoughts on “Automatic Check of Expiration Date of Certificates

    • Koen on said:

      What is in your ceds.checks file? If you want to test for google.com you have to add www.google.com:443 and omit the http://

  1. Joe O' Shea on said:

    Receiving a mail with ” Unable to connect to url …..
    I placed a list of the urls in a file in the same folder as the script ?. Its out puts the list of urls but says it fails to connect to them. Any suggestions.

    • Koen on said:

      *) Syntax for ‘ceds.check’ is “hostname:443” ; for example http://www.google.com:443
      *) Are you able to connect to the hostname from the host that does the check via telnet hostname 443?
      *) add “print exp_date” after the line where exp_date= ; that way you’re able to check if connection was at least succesful and another error happened

  2. Joe O' Shea on said:

    Got it sorted – empty space at the end of the urls file!!!

    It failed to catch one of the urls certs? expire in 10 days
    Is their an additional entry I should make?

    Thanks

  3. Joe O' Shea on said:

    Hi Koen,

    Thank you for your reply. just a note to say if I add https:// to the urls it fails to run?, so I’ve it stripped and it runs.

    Thanks again

Leave a Reply

Your email address will not be published. Required fields are marked *