./ssl-cert-check <days> <certspec1,certspec2,...>
./ssl-cert-check <days> --list=<FILE>
./ssl-cert-check <days> --glob=<FILE>
This tool will warn you if any of the specified certificates expires in the next <days> days. If the --list mode is used, the file is expected to contain one certspec per line. Similarly, --glob mode expects one certspec per line in the given file, but each line will be evaluated as a wildcard glob pattern. In both cases, lines starting with the character '#' as well as empty lines will be ignored.
The first parameter is the number of days to warn in advance for expiring certificates. All following parameters are treated as certificate specifications and can be in one of the following formats:
An absolute path to a x509 PEM certificate file
A file://<path> URI
A ssl://<host>:<port> URI
For example: * ssl://example.org:443
A <proto>://<host>[:<port>] URI, this is the same as ssl://<host>:<proto>.
The real port number is usually looked up in /etc/services, note that you often need the one with the 's' suffix, like "https", "imaps", etc.
- imaps://example.org (same as ssl://example.org:993)
A <proto>+starttls://<host>[:<port>] URI
Use the STARTTLS command to start a in-protocol TLS session after opening an unencrypted connection. The openssl s_client needs to support this protocol. At time of this writing, the supported protocols are "smtp", "pop3", "imap", "ftp" and "xmpp".
Example for your crontab:
MAILTO=root 6 6 * * * nobody /usr/local/bin/ssl-cert-check 30 /etc/apache2/ssl/*.crt /etc/ssl/certs/dovecot.pem https://localhost ssl://localhost:465 smtp+starttls://localhost:587