It there a command to show how many days certificate you have?


#1

Just tell the command to show how many days have left before you have to renew?

I don’t know if. I hope some one knows and will reply to this post.

-Raymond Day


#2

Hi.
Try with:

echo | openssl s_client -connect <you server here>:443 2>/dev/null | openssl x509 -noout -dates

Reply example:

notBefore=Feb 22 08:56:00 2016 GMT
notAfter=May 22 08:56:00 2016 GMT


#3

@Ray, just a little comment to @redo_fr post. If you are using SNI in your web server, add -servername yourdomain.tld parameter to openssl command or you could only get the default cert in your web server.

Something like this:
echo | openssl s_client -connect yourdomain.tld:443 -servername yourdomain.tld 2>/dev/null | openssl x509 -noout -dates

You can also check the cert file directly:
openssl x509 -noout -dates -in /etc/letsencrypt/live/yourdomain.tld/cert.pem

Cheers,
sahsanu


#4

Very good looks like that worked.

root@XXX:~/letsencrypt# echo | openssl s_client -connect XXX.XXX:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Feb 19 10:09:00 2016 GMT
notAfter=May 19 10:09:00 2016 GMT
root@XXX:~/letsencrypt#

So it will last till 5/19/2016 super good to know.

Thank you.

-Raymond Day


#5

I use ssl-cert-check which is packaged on debian like systems and I find it very handy.

root@XXX# ssl-cert-check -c cert.pem 

Host                                        Status       Expires      Days
------------------------------------------- ------------ ------------ ----
FILE:cert.pem                               Valid        May 10 2016  77                                 

root@XXX# ssl-cert-check -h
Usage: /usr/bin/ssl-cert-check [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]
       { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }

  -a                : Send a warning message through E-mail
  -b                : Will not print header
  -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
  -e E-mail address : E-mail address to send expiration notices
  -f cert file      : File with a list of FQDNs and ports
  -h                : Print this screen
  -i                : Print the issuer of the certificate
  -k password       : PKCS12 file password
  -n                : Run as a Nagios plugin
  -p port           : Port to connect to (interactive mode)
  -s commmon name   : Server to connect to (interactive mode)
  -t type           : Specify the certificate type
  -q                : Don't print anything on the console
  -v                : Specify a specific protocol version to use (tls, ssl2, ssl3)
  -V                : Only print validation data
  -x days           : Certificate expiration interval (eg. if cert_date < days)

The script is also available at http://prefetch.net/code/ssl-cert-check


#6

Thank you looks like a good one. Can install it with the apt-get command it said it like this:

The program ‘ssl-cert-check’ is currently not installed. You can install it by typing:
apt-get install ssl-cert-check

But I guess I have to type something else because I get this error:

root@XXX:~/letsencrypt# ssl-cert-check -c cert.pem

Host Status Expires Days


ERROR: The file named cert.pem is unreadable or doesn’t exist
ERROR: Please check to make sure the certificate for FILE:cert.pem is valid
root@XXX:~/letsencrypt#

Is there another name for the cert.pem?

-Raymond Day


#7

Looks like I have to tell it were the cert.pem file is:

root@XXX:~# ssl-cert-check -c /etc/letsencrypt/live/XXX.XXX/cert.pem

Host Status Expires Days


FILE:/etc/letsencrypt/live/XXX.XXX/cert.pem Valid May 22 2016 89
root@XXX:~#

Is something wrong because I have to tell it the full path?

Thank you for showing this command! Looks like a very good one to show when it will expire. Looks like I have 89 days left.

-Raymond Day


#8

I was in the /etc/letsencrypt/live/XXX.XXX/ directory when I issue my command “ssl-cert-check -c cert.pem”. If you are not in a directory with a cert.pem file in it, It is normal to get an error saying the file do not exist as every path no beginning with a ‘/’ are assume to be relative to the current directory.


#9

You can also use https://github.com/srvrco/checkssl if you want to ( it was written specifically to inform, or run a specific job when renewal was close). On the other hand, not that the LE script auto renews the certificate when it’s within 30 days of renewal there is less need for checking.


#10

I think it’s good to have to renew it so they know you still are there.

The checkssl is not a apt-get so I don’t want to install it. Thanks for showing it.

-Raymond Day


#12

ubuntu 16.04

sudo apt-get install ssl-cert-check 

ssl-cert-check is already the newest version (3.27-2).


#13

If you use certbot (https://certbot.eff.org/), it’s simply a matter of using

certbot certificates

If you need to filter for a particular domain the result, do

certbot certonly --cert-name example.com

This answer has been clearly borrowed from the official certbot documentation at https://certbot.eff.org/docs/using.html#where-are-my-certificates


#14

You can set that command up on your cronjob to check the expiration dates quite regularly and send you an e-mail notification or something whenever they are about to expire. I personally prefer using SSL Checker app for iPhone for this purpose. I can monitor any host there and it sends me a notification whenever any of my SSL certificates is about to expire.