Certificate expiration
After Heartbleed and generating lots of different new certificates I searched for a tool that sends me an alert when a certificate is about to expire. Basically I need an automatic check of expiration date of certificates. My requirements were
- daily checks;
- notification by email;
- check for certificates on internal and external network;
- check for certificates on non-web service (imap, pop, …).
There are a couple of tools that cover part of my requirements but not one tool that did everything that I needed. So I made it myself.
Check Expiration Date of SSL certificates
ceds.py is a python script that reads a file as input (ceds.checks) and does a SSL check on every host listed in the file. The script has a couple of inline configuration parameters.
servers_to_check = "ceds.checks" alert_days = 5 mail_rcpt = "<>" mail_from = "<>" mail_server = "localhost"
- servers_to_check : the file with the hosts to check;
- alert_days : how days before expiration to send an alert;
- mail_rcpt : sender of the alert;
- mail_from : receiver of the alert;
- mail_server server to use to send the alert.
The script is available on Github, download the raw version at https://raw.githubusercontent.com/cudeso/tools/master/ceds.py.
Cron
Ideally you run this script from cron.
30 12 * * * user /home/user/tools/ceds.py > /dev/null 2>&1
i tried it your script, outpu shows “unable to connect to http://www.google.com:443”
can you help on this issue.
Thanks
What is in your ceds.checks file? If you want to test for google.com you have to add
www.google.com:443and omit the http://super comme script python , merci
awesome script. thank you my friend.
Receiving a mail with ” Unable to connect to url …..
I placed a list of the urls in a file in the same folder as the script ?. Its out puts the list of urls but says it fails to connect to them. Any suggestions.
*) Syntax for ‘ceds.check’ is “hostname:443” ; for example http://www.google.com:443
*) Are you able to connect to the hostname from the host that does the check via telnet hostname 443?
*) add “print exp_date” after the line where exp_date= ; that way you’re able to check if connection was at least succesful and another error happened
Got it sorted – empty space at the end of the urls file!!!
It failed to catch one of the urls certs? expire in 10 days
Is their an additional entry I should make?
Thanks
Check the “alert_days = 5” in the script.
Hi Koen,
Thank you for your reply. just a note to say if I add https:// to the urls it fails to run?, so I’ve it stripped and it runs.
Thanks again
Hi Koen,
Greetings in 2018 !
ImportError: No module named OpenSSL , an alternative to Python 2.3.5 ?
Thanks,
Ed
Hi Koen,
any suggestion in amending script to work with SNI?
Thanks
KR
Mirko
Hi
Thanks Koen for your post,
I have tested your script to ckeck some certicates for our sites, the problem is , i got the same expiry days (691), for all URL, that i have put in file !!!
Hello Alaoui,
Unfortunateley, I have no idea what could have caused this problem.
Are these public certificates? If so provide me the link to one so that I can check. If you manually check, what is the expiration date?
You can also print the value “exp_date” which is fetched via get_peer_cert.get_notAfter() and check what’s in it manually.
kr,
koen
Does this script still work? During use I get the following error message:
./ceds.py
Traceback (most recent call last):
File “./ceds.py”, line 14, in
from OpenSSL import SSL
ImportError: No module named OpenSSL
Found it already: pip install pyopenssl
Hi,
I get unable to connect url email.
And get this error on the shell when I use print(exp_date) :
TypeError: strptime() argument 1 must be str, not bytes
Hi,
I am getting below error,
please help on this.
message[“From”] = busam@gmail.com
NameError: name ‘busam’ is not defined