When will the SSL certificate for a site expire or in how many days will an SSL certificate expire?

If you are a system administrator, at least once in your career you might have worked with managing SSL certificates as well as making sure that SSL certificates are renewed before they expire. I have seen Linux admins using Nagios to monitor SSL certificates and get notified a few days before expiry and in some cases admins setup a cron job which polls the sites to be monitored and send out an email if any of the certs for a site are going to expire soon.

Googling for information on how to check SSL certificate expiration for a site might return results like this one on openssl s_client.

My favorite tool for getting certificate expiry is the Nagios plugin utility – check_http. The check_http script displays the exact date/time the SSL certificate for a given site expires as well as how many days are left before expiry.

Installation –

apt-get install nagios-plugins
yum install nagios-plugins-all

In my system, the plugins were installed under /usr/lib/nagios/plugins directory –

root@linubuvma:/usr/lib/nagios/plugins# cat /etc/issue
Ubuntu 14.04.5 LTS \n \l

root@linubuvma:/usr/lib/nagios/plugins# pwd

root@linubuvma:/usr/lib/nagios/plugins# ls
check_apt      check_dbi       check_dns       check_host       check_ifoperstatus  check_ldap   check_mrtg         check_nntp      check_ntp_time  check_ping   check_rta_multi  check_spop   check_time   negate
check_breeze   check_dhcp      check_dummy     check_hpjd       check_ifstatus      check_ldaps  check_mrtgtraf     check_nntps     check_nwstat    check_pop    check_sensors    check_ssh    check_udp    urlize
check_by_ssh   check_dig       check_file_age  check_http       check_imap          check_load   check_mysql        check_nt        check_oracle    check_procs  check_simap      check_ssmtp  check_ups    utils.pm
check_clamd    check_disk      check_flexlm    check_icmp       check_ircd          check_log    check_mysql_query  check_ntp       check_overcr    check_real   check_smtp       check_swap   check_users  utils.sh
check_cluster  check_disk_smb  check_ftp       check_ide_smart  check_jabber        check_mailq  check_nagios       check_ntp_peer  check_pgsql     check_rpc    check_snmp       check_tcp    check_wave

How to get the expiry information?

The -C option of check_http is what we are looking for. The help page for check_http explains the -C option as below –

-C, --certificate=INTEGER
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)

Let us test it if any of the sites below have certificates which expire in the coming 30 days –

root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H yahoo.com -C 30
OK - Certificate 'www.yahoo.com' will expire on 10/30/2017 23:59.

root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H gmail.com -C 30
OK - Certificate 'mail.google.com' will expire on 03/09/2017 13:34.

root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H linuxfreelancer.com -C 30
OK - Certificate 'linuxfreelancer.com' will expire on 08/12/2017 03:01.

In order for check_http to show us how many days are left before the SSL certificate expires, we give it a much longer number of days (-C) –

root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H yahoo.com -C 1000
WARNING - Certificate 'www.yahoo.com' expires in 298 day(s) (10/30/2017 23:59).

root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H gmail.com -C 1000
WARNING - Certificate 'mail.google.com' expires in 63 day(s) (03/09/2017 13:34).

root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H linuxfreelancer.com -C 1000
WARNING - Certificate 'linuxfreelancer.com' expires in 219 day(s) (08/12/2017 03:01).

If the output doesn’t show the number of days left or the status is ‘OK’, keep on increasing the number of days. The ‘-t’ option is the connection timeout in seconds. In addition to running it interactively, check_http is very useful for scripting as well as automated monitoring.