warn if a SSL cert is expiring in 30 days

management/status_checks.py

@@ -9,6 +9,7 @@ __ALL__ = ['check_certificate']
 import os, os.path, re, subprocess, datetime
 
 import dns.reversename, dns.resolver
+import dateutil.parser, dateutil.tz
 
 from dns_update import get_dns_zones, build_tlsa_record
 from web_update import get_web_domains, get_domain_ssl_files
@@ -374,6 +375,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
 		])
 	cert_dump = cert_dump.split("\n")
 	certificate_names = set()
+	cert_expiration_date = None
 	while len(cert_dump) > 0:
 		line = cert_dump.pop(0)
 
@@ -395,6 +397,10 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
 				if m:
 					certificate_names.add(m.group(1))
 
+		m = re.match("            Not After : (.*)", line)
+		if m:
+			cert_expiration_date = dateutil.parser.parse(m.group(1))
+
 	wildcard_domain = re.sub("^[^\.]+", "*", domain)
 	if domain is not None and domain not in certificate_names and wildcard_domain not in certificate_names:
 		return "This certificate is for the wrong domain names. It is for %s." % \
@@ -445,11 +451,21 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
 	if "self signed" in verifyoutput:
 		# Certificate is self-signed.
 		return "SELF-SIGNED"
-	elif retcode == 0:
+	elif retcode != 0:
-		# Certificate is OK.
+		# There is some unknown problem. Return the `openssl verify` raw output.
-		return "OK"
-	else:
 		return verifyoutput.strip()
+	else:
+		# `openssl verify` returned a zero exit status so the cert is currently
+		# good.
+
+		# But is it expiring soon?
+		now = datetime.datetime.now(dateutil.tz.tzlocal())
+		ndays = (cert_expiration_date-now).days
+		if ndays <= 31:
+			return "This certificate expires in %d days on %s." % (ndays, cert_expiration_date.strftime("%x"))
+
+		# Return the special OK code.
+		return "OK"
 
 _apt_updates = None
 def list_apt_updates(apt_update=True):