You are here: Home / Debian GNU/Linux / Servers / HTTP / Setup an email alert on SSL / TLS certificate expiration

Setup an email alert on SSL / TLS certificate expiration

by Pierre-Yves Landuré last modified Oct 22, 2018 07:51

SSL / TLS certificates are signed by certificate authority for a defined period, usually 1 year. Once the expiration date has passed, the certificate is considered invalid by the clients (browsers, mail clients, etc.). Being alerted of a server expired certificates help to anticipate renewals.

This howto is tested on:

  • Debian 6.0 Squeeze


Install the OpenSSL software:

command apt-get install openssl

Install the certificate check tool (generously provided by Prefetch Technologies (en)):

command wget '' \
--quiet --output-document='/usr/local/bin/ssl-cert-check'
command chmod +x '/usr/local/bin/ssl-cert-check'

Install the server certificates validity-check cron script:

command wget '' \
--quiet --no-check-certificate --output-document='/etc/cron.weekly/check-active-certs'
command chmod +x '/etc/cron.weekly/check-active-certs'

By default, the email is sent to server root account. To change this, edit the ALERT_EMAIL value at the top of /etc/cron.weekly/check-active-certs file.

The certificate check is done weekly. The only certificates checked are the ones used by this server softwares:

  • Apache 2
  • LigHTTPd
  • Exim 4
  • Cyrus Imap
  • vsFTPd