Bash SSL Certificate Expiration Check

check-certs.sh

#!/bin/bash
TARGET="mysite.example.net"; 
RECIPIENT="[email protected]";
DAYS=7;
echo "checking if $TARGET expires in less than $DAYS days";
expirationdate=$(date -d "$(: | openssl s_client -connect $TARGET:443 -servername $TARGET 2>/dev/null \
                              | openssl x509 -text \
                              | grep 'Not After' \
                              |awk '{print $4,$5,$7}')" '+%s'); 
in7days=$(($(date +%s) + (86400*$DAYS)));
if [ $in7days -gt $expirationdate ]; then
    echo "KO - Certificate for $TARGET expires in less than $DAYS days, on $(date -d @$expirationdate '+%Y-%m-%d')" \
    | mail -s "Certificate expiration warning for $TARGET" $RECIPIENT ;
else
    echo "OK - Certificate expires on $expirationdate";
fi;

Amazing script! Just what i needed as base to build on :)
I changed it quite a bit to be an alternative to LetsEncrypt expiry mails. Here's my version:

#!/bin/bash

# Configuration
DOMAIN_LIST_FILE="/home/mark/domain_ssl_ttl_check.txt"
EXPIRY_DAYS=(14 10 7 5 3 2 1)
NOTIFICATION_SCRIPT="/home/mark/notify.sh"

# Function to get certificate expiry timestamp
get_expiry_timestamp() {
  local domain="$1"
  date -d "$(: | openssl s_client -connect "$domain":443 -servername "$domain" 2>/dev/null \
                                  | openssl x509 -text \
                                  | grep 'Not After' \
                                  | awk '{print $4,$5,$7}')" '+%s' 2>/dev/null
}

# Function to calculate days until expiry
days_until_expiry() {
  local expiry_timestamp="$1"
  local current_timestamp=$(date +%s)
  local seconds_diff=$((expiry_timestamp - current_timestamp))
  echo $((seconds_diff / 86400))
}

# Main loop
while IFS= read -r base_domain; do
  echo "Checking certificate expiry for: $base_domain"

  expiry_timestamp=$(get_expiry_timestamp "$base_domain")
  if [ -z "$expiry_timestamp" ]; then
    echo "Error: Could not retrieve certificate information for $base_domain. Skipping."
    continue
  fi

  days_left=$(days_until_expiry "$expiry_timestamp")
  expiry_date=$(date -d @"$expiry_timestamp" '+%d-%m-%Y')
  echo "Certificate for $base_domain expires in $days_left days, on $expiry_date."

  triggered=false # Flag to track if the notification script was triggered

  for trigger_days in "${EXPIRY_DAYS[@]}"; do
    if [ "$days_left" -eq "$trigger_days" ] && [ -x "$NOTIFICATION_SCRIPT" ]; then
      title="Certificate Expiry Warning"
      content="The SSL certificate for '$base_domain' and '*.${base_domain}' will expire in $days_left days, on $expiry_date."
      echo "Triggering notification script for $base_domain - $days_left days remaining"
      "$NOTIFICATION_SCRIPT" "$title" "$content"
      triggered=true
      break
    elif [ "$days_left" -eq "$trigger_days" ] && [ ! -x "$NOTIFICATION_SCRIPT" ]; then
      echo "Warning: Notification script '$NOTIFICATION_SCRIPT' is not executable."
      triggered=true
      break
    fi
  done

  if [ "$triggered" = false ]; then
    echo "No immediate notification for $base_domain. Expires on $expiry_date."
  fi

done < "$DOMAIN_LIST_FILE"

exit 0

Yes, i used AI to make this better :)

A couple things to note:

• First of, day-month-year. (it used to be year-month-day, yuck)
• DOMAIN_LIST_FILE is a one line per domain file
• in my case i'm exclusively using wildcard domains so the message i get says foo.bar and *.foo.bar, this might not be applicable to others.
• EXPIRY_DAYS, a list of specific expiry days to handle. This is for the notification (or mail in the old version). I didn't want to maintain a temp file so i solved it by just having a fixed list of days where you can receive a notification.
• NOTIFICATION_SCRIPT, the first argument is the title, second is the expiry message. In my case i'm using home assistant and thus have the "luxury" of using it's notification API to send me an actual notification.

The script can probably be simplified a little but this works really nice!
Run this as a daily cronjob and you're all set for domain expiry notifications.

Here is the notify.sh script, change where needed.

#! /bin/bash
curl -X POST \
-H "Authorization: Bearer [TOKEN]"
-H "Content-Type: application/json" \
-d "{ \
    \"title\": \"$1\", \
    \"message\": \"$2\" \
    }" \
[HA]/api/services/notify/[DEVICE]

I had to change things on the links i found so i guess those resources have changed compared to how home assistant works now. Therefore not posting links :)

• First of, day-month-year. (it used to be year-month-day, yuck)

You said year-month-day, yuck, it has to be the most dumbest thing thing in this script. Year-month-day is the standard in programming.

• First of, day-month-year. (it used to be year-month-day, yuck)

You said year-month-day, yuck, it has to be the most dumbest thing thing in this script. Year-month-day is the standard in programming.

Lol 😆 then you change it to what you like.
There's a couple reasons why i made that change.

1. We - western people - read from left to right. The most important part of the date in this context is the day and potentially the month. Having that readable from left to right makes a lot of sense (to me!).
2. Same geographic argument, different reason. dd-mm-yyyy is the standard here, i'm used to that and can't stand the many differences.

As an aside, if year-month-day is a standard (didn't know that and I've been a programmer for decades by now), then i'll happily ignore that. I'll quote you for my reason: "it has to be the most dumbest thing" 😉

Working great, thanks very much for the script!