Send email if a server isn't using the latest certificate.

check_certs.sh

#!/usr/bin/env bash
set -e

DAYS_BEFORE_EMAIL=21
TO_ADDR="Joe <joe@example.com>"
BCC_ADDR="Demo <demo@example.com>"

find ~/.acme.sh -name '*cer' | tee certs_to_check.txt

# usage $0 {NEW_CERT} {OLD_CERT}
function email() {
    CERT_NAME="`basename $1`"
    CERT_EXPIRE_DATE="`openssl x509 -in $2 -enddate -noout | sed 's/notAfter=//' | date --file=-`"
    CERT_DAYS_UNTIL_EXPIRE=$(( ($(date --date="${CERT_EXPIRE_DATE}" +%s) - $(date +%s) ) / 60 / 60 / 24 ))
    CERT_PEM="`openssl x509 -text -in $1`"

    printf "To: %s \nBcc: %s \nSubject: %s expires in %s days. \nContent-Type: text/html \n" "$TO_ADDR" "$BCC_ADDR" "$CERT_NAME" "$CERT_DAYS_UNTIL_EXPIRE"
    printf "<h1>%s</h1>\n\n" "$CERT_NAME"
    printf "%s will expire on %s. See below for the latest certifiate for this domain issued on server: \n\n<pre>\n%s\n</pre>" "$CERT_NAME" "$CERT_EXPIRE_DATE" "$CERT_PEM"
    printf "<h1>Certificate Status</h1><p>The following is the status of all renewals on %s for %s.</p>\n<pre>%s</pre>" "`hostname --fqdn`" "$USER" "`~/.acme.sh/acme.sh list`"
}

while read CERT_FILE
do
  SERVER_NAME=`basename $CERT_FILE`
  printf "Checking to see if %s will expire in the next %s days... " "${SERVER_NAME}" "$DAYS_BEFORE_EMAIL"
  openssl s_client -servername ${SERVER_NAME} -connect ${SERVER_NAME}:443 < /dev/null 2> /dev/null | tee ${SERVER_NAME}.current.pem | \
    openssl x509 -noout -checkend $((60 * 60 * 24 * ${DAYS_BEFORE_EMAIL})) || email $CERT_FILE ${SERVER_NAME}.current.pem | tee last-mail-${SERVER_NAME}.txt | sendmail -t
  sleep 0.3
done < certs_to_check.txt

I am using acme.sh to generate certs. Here's what an example email looks like, I've set to 90 days notice for testing and added it to my crontab to run daily.