
Get SSL Expiration Alerts with AWS Lambda and CloudWatch - ryan_sb
https://serverlesscode.com/post/ssl-expiration-alerts-with-lambda/
======
jvehent
That's fairly easy to do in a cron job:

    
    
        TARGET="mysite.example.net"; \
        RECIPIENT="hostmaster@mysite.example.net"; \
        DAYS=7; \
        echo "checking if $TARGET expires in less than $DAYS days"; \
        expirationdate=$(date -d "$(: | openssl s_client -connect $TARGET:443 -servername $TARGET 2>/dev/null \
                                      | openssl x509 -text \
                                      | grep 'Not After' \
                                      |awk '{print $4,$5,$7}')" '+%s'); \
        in7days=$(($(date +%s) + (86400*$DAYS))); \
        if [ $in7days -gt $expirationdate ]; then \
            echo "KO - Certificate for $TARGET expires in less than $DAYS days, on $(date -d @$expirationdate '+%Y-%m-%d')" \
            | mail -s "Certificate expiration warning for $TARGET" $RECIPIENT ; \
        else \
            echo "OK - Certificate expires on $expirationdate"; \
        fi;

~~~
dchest
Thanks! When I saw the title, I new somebody on HN would come up with a few
shell commands for this :-)

------
abofh
$ aws iam list-server-certificates

    
    
      [
      {
          "ServerCertificateMetadataList": [
              {
                  "ServerCertificateId": "REDACTED", 
                  "ServerCertificateName": "ALSO-REDACTED", 
                  "Expiration": "2016-11-10T23:56:37Z", 
                  "Path": "/", 
                  "Arn": "MORE-REDACTION",
                  "UploadDate": "2015-11-11T23:56:43Z"
              }, 
      ...
    

Why?

------
dexterdog
Why can't you just read any cert regardless of where it is hosted and send an
alert when it is under a week? Why tie it to AWS?

~~~
krakensden
You're only cool if you're paying Amazon.

~~~
dexterdog
I run almost everything on AWS, but I don't see why this should be a checker
at the AWS level when SSL certs are typically exposed for any reader. I would
still run it in lambda, but I would check the cert over the public route.

------
mcrmonkey
"OK Google, set a reminder 1 year from now to...."

Nice write up. But a bit over kill for something that you can solve with a
calendar item. ...Doesn't actually have to be on google though ;)

~~~
colinbartlett
I have at least a dozen projects, clients, side projects, personal domains,
etc., each with a TLS cert. Plus at least 5 certs for work. All of them have
different expirations. Some are on Let's Encrypt without auto renew at the
moment, meaning they have varying expirations less than 90 days from now.

I would love just a simple iPhone app where I can list my domains and get push
notices at 30 or 7 days from expiration. Maybe I should make this myself
because I've yet to find one.

~~~
lukeschlather
[http://www.site24x7.com/](http://www.site24x7.com/) has a cert monitor that
does exactly what you want and more. If you have 10 domains it will run you
$10/month. (Although you probably also want an uptime checker, so really it's
more like 5 domains on the $10/month plan.)

~~~
colinbartlett
This is perfect, thanks for sharing.

------
edwhitesell
If you're already running Nagios for monitoring everything else, it's easy
enough to add a service to monitor SSL certs.

    
    
      /usr/lib/nagios/plugins/check_http --ssl -C 14 -H '$HOSTADDRESS$' -I '$HOSTADDRESS$'

------
pennersr
Netwell supports SSL expiration checks as well:

[https://github.com/pennersr/netwell](https://github.com/pennersr/netwell)

------
nzoschke
Nice implementation! I would like my team to get Slack notifications...

