Automatic Check of Expiration Date of Certificates

Certificate expiration

After Heartbleed and generating lots of different new certificates I searched for a tool that sends me an alert when a certificate is about to expire. Basically I need an automatic check of expiration date of certificates. My requirements were

  • daily checks;
  • notification by email;
  • check for certificates on internal and external network;
  • check for certificates on non-web service (imap, pop, …).

There are a couple of tools that cover part of my requirements but not one tool that did everything that I needed. So I made it myself.

Check Expiration Date of SSL certificates

ceds.py is a python script that reads a file as input (ceds.checks) and does a SSL check on every host listed in the file. The script has a couple of inline configuration parameters.

servers_to_check = "ceds.checks"
alert_days = 5
mail_rcpt = "<>"
mail_from = "<>"
mail_server = "localhost"
  • servers_to_check : the file with the hosts to check;
  • alert_days : how days before expiration to send an alert;
  • mail_rcpt : sender of the alert;
  • mail_from : receiver of the alert;
  • mail_server server to use to send the alert.

GithubLogo
The script is available on Github, download the raw version at https://raw.githubusercontent.com/cudeso/tools/master/ceds.py.

Cron

Ideally you run this script from cron.

30 12   * * *   user	/home/user/tools/ceds.py  > /dev/null 2>&1

17 thoughts on “Automatic Check of Expiration Date of Certificates

    • Koen on said:

      What is in your ceds.checks file? If you want to test for google.com you have to add www.google.com:443 and omit the http://

  1. Joe O' Shea on said:

    Receiving a mail with ” Unable to connect to url …..
    I placed a list of the urls in a file in the same folder as the script ?. Its out puts the list of urls but says it fails to connect to them. Any suggestions.

    • Koen on said:

      *) Syntax for ‘ceds.check’ is “hostname:443” ; for example http://www.google.com:443
      *) Are you able to connect to the hostname from the host that does the check via telnet hostname 443?
      *) add “print exp_date” after the line where exp_date= ; that way you’re able to check if connection was at least succesful and another error happened

  2. Joe O' Shea on said:

    Got it sorted – empty space at the end of the urls file!!!

    It failed to catch one of the urls certs? expire in 10 days
    Is their an additional entry I should make?

    Thanks

  3. Joe O' Shea on said:

    Hi Koen,

    Thank you for your reply. just a note to say if I add https:// to the urls it fails to run?, so I’ve it stripped and it runs.

    Thanks again

  4. alaoui ismaili on said:

    Hi

    Thanks Koen for your post,
    I have tested your script to ckeck some certicates for our sites, the problem is , i got the same expiry days (691), for all URL, that i have put in file !!!

    • Koen on said:

      Hello Alaoui,

      Unfortunateley, I have no idea what could have caused this problem.

      Are these public certificates? If so provide me the link to one so that I can check. If you manually check, what is the expiration date?

      You can also print the value “exp_date” which is fetched via get_peer_cert.get_notAfter() and check what’s in it manually.

      kr,

      koen

  5. Does this script still work? During use I get the following error message:

    ./ceds.py

    Traceback (most recent call last):
    File “./ceds.py”, line 14, in
    from OpenSSL import SSL
    ImportError: No module named OpenSSL

  6. Reena on said:

    Hi,
    I get unable to connect url email.
    And get this error on the shell when I use print(exp_date) :
    TypeError: strptime() argument 1 must be str, not bytes

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.