How to check for an expired certificate


#1

How can one know if a specific site has a certificate which is about to expire? There is only one way to do it: ask the URL.

$ curl -sIv https://community.letsencrypt.org/ |& grep expire

  •    expire date: Mon, 23 Jan 2017 05:20:00 GMT

Getting Let's Encrypt certificate expiration notice that are false
#2

Hi @chlor,

If you’re looking for a quick & easy way most web browsers will allow you to view an HTTPS website’s certificate details in the browser UI. E.g. here are the Firefox instructions to do so. You can find the “Not After” field in the certificate details, this is the date the certificate will expire.

There are also a number of command line tools you could use for this (one e.g. openssl s_client -connect your.website.here.example.com:443 2>/dev/null </dev/null | openssl x509 -noout -enddate)

Hope that helps!


#3

No, I am not looking for a quick & easy way to look up the expire date.

I am looking forward to NOT receiving emails about a certificate which is NOT about to expire. My certificate is not about to expire because renewed the certificate myself (added a new domain and rerun certbot). If the “robot” thinks my certificate is about to expire it should first run “curl” or something and check it, before sending an email.

Anyway, thanks for a great service.


#4

Hi @chlor. You’re calling this a “renewal” but it isn’t. You added a new domain name. Our expiration mail documentation explains further:

We consider a certificate to be renewed if there is a newer certificate with the exact same set of names, regardless of which account created it. If you’ve issued a new certificate that adds or removes a name relative to your old certificate, you will get expiration email about your old certificate. If you check the certificate currently running on your website, and it shows the correct date, no further action is needed.

Unfortunately there isn’t an automated, generalizable, and accurate way for us to automatically detect whether an expiring certificate should be ignored from our end. Your curl suggestion in particular would cause issues as many of our certificates are used for protocols other than HTTPS. We have very little visibility into the usage of certificates post-issuance.

Thanks!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.