My domain is (e.g.): https://www.pragmatismtomorrow.org/
My hosting provider, if applicable, is (mainly): TSOhost
I can login to a root shell on my machine: NO
I’m using a control panel to manage my site: “Cloud web hosting”, unbranded (NOT cPanel)
I’m using shared hosting with a control panel that has a <Let’s Encrypt> button, handling all the certificates installation and renewal for me (great!); I’m using that or similar on over a dozen websites; plus some on other webhosts.
Now I had an expired certificate: Annoying (a user worried about their “compromised” website) but quickly solved once alerted (just re-clicked the <Let’s Encrypt> button and OK within minutes. BUT to avoid this in future: Is there a way for me to install a CRON check to get expiry alerts?
As I understand it, if you self-install Let’sEncrypt you get warnings before your certificate expires. I don’t know when my webhost tries to renew (advice I read for certificates in general was to renew with 1/3rd of validity remaining, which would be after 60days; I could find out by daily checking my sites and see when my host has renewed them), but clearly I don’t get the “almost expired” alert email nor a failure message should it go wrong (like it did).
Hence: Is there a CRON recipe I could follow to check Let’s Encrypt expiry dates? My webhost has the usual basics at hand (bash/php/… ) and emailing CRON-results; Ideally, this checks for multiple websites (for ease of maintenance & quick install).
E.g., if my webhost typically renews 10days before expiry, I would like to check weekly if my certificates are at 9-or-less-days, leaving me a plentiful 2day heads-up before expiry [or similar frequency].
I’m guessing a few lines of the Certbot code does exactly what I need. I’m on the free tier of StatusCake, so SSL checks aren’t included.
Welcome to the community forum! Let’s Encrypt provides an expiration email service if you have provided your email address to your issuance client. https://letsencrypt.org/docs/expiration-emails/ . Double check that these emails aren’t going to your spam folder.
In addition to that, here’s some services you could use https://certificatemonitor.org/ and https://sslmate.com/certspotter/
If you want to use certbot to do these checks, you can use
certbot certificates per https://certbot.eff.org/docs/using.html#managing-certificates
If you really want to build your own monitor, here’s a start.
$ echo | openssl s_client -connect www.pragmatismtomorrow.org:443 -servername www.pragmatismtomorrow.org 2>&1 | openssl x509 -noout -startdate -enddate
notBefore=Mar 22 22:50:30 2019 GMT
notAfter=Jun 20 22:50:30 2019 GMT
In order to setup a cron you’d need some short of shell access to your webhost to install one. One of the suggested methods of using the certbot client for autorenew is to set it up as a regular cron.
You will probably want some online certificate checking service to alert you when your cert is close to expiration if you don’t have shell access on your host. https://certificatemonitor.org/ is a reasonable one from what I understand.
Hi, Thanks both!
@Phil — the whole process is a “black box”/ button on the webhost’s Panel, so I cannot choose to provide an email address to the issuance client… I’m guessing the webhost leaves it blank (or has a generic address for this, that it ignores); in any case no messages reach my inbox nor SPAM.
@mproto I’ve gone with the Certificatemonitor.org which Phil_LE also suggested. I hadn’t looked into such as I suspected this type of service to be for-pay (as with my ‘uptime checker’ StatusCake).
It seems a bit rough: warnings at 90/60/30/14/7/… days before expiry (and after); with checks made every one or two days. That sounds to me now as a flood of unwanted mails — only those of 7days-or-less are useful to me. I’ll try to remember reporting here back in 28days with experiences (as topics auto-close after a month…).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.