Setup an email alert on SSL / TLS certificate expiration
SSL / TLS certificates are signed by certificate authority for a defined period, usually 1 year. Once the expiration date has passed, the certificate is considered invalid by the clients (browsers, mail clients, etc.). Being alerted of a server expired certificates help to anticipate renewals.
This howto is tested on:
- Debian 6.0 Squeeze
Installation
Install the OpenSSL software:
command apt-get install openssl
Install the certificate check tool (generously provided by Prefetch Technologies (en)):
command wget 'http://prefetch.net/code/ssl-cert-check' \
--quiet --output-document='/usr/local/bin/ssl-cert-check'
command chmod +x '/usr/local/bin/ssl-cert-check'
Install the server certificates validity-check cron script:
command wget 'https://raw.github.com/biapy/howto.biapy.com/master/various/check-active-certs' \
--quiet --no-check-certificate --output-document='/etc/cron.weekly/check-active-certs'
command chmod +x '/etc/cron.weekly/check-active-certs'
By default, the email is sent to server root account. To change this, edit the ALERT_EMAIL value at the top of /etc/cron.weekly/check-active-certs file.
The certificate check is done weekly. The only certificates checked are the ones used by this server softwares:
- Apache 2
- LigHTTPd
- Exim 4
- Cyrus Imap
- vsFTPd
Thanks
- Thanks to Prefetch Technologies (en) for Proactively Handling Certificate Expiration With ssl-cert-check (en).
- Thanks to Sébastien at Tux-planet (fr) for Vérifier automatiquement l'expiration de certificats SSL (en).