List all certificate expiry dates of Traefik's acme.json

check_traefik_acme.sh

#!/bin/bash

## usage
## ./check_traefik_acme.sh < acme.json
## optionally define IGNORE_CERTS with a list of ignoreable certs

ACME_JSON=${1:-/dev/stdin}
IGNORE_CERTS=${IGNORE_CERTS-}

C_RESET='\033[0m'
C_RED='\033[0;31m'
C_GREEN='\033[0;32m'
C_ORANGE='\033[0;33m'
C_PURPLE='\033[0;35m'
fmt="%-70s%-20s%-30s%-12s\n"

domains=$(jq < "$ACME_JSON" -r '.["letsencrypt-tls"] | .Certificates[].domain.main')
now=$(date +'%s')
for domain in $domains; do
	excluded=0
	for excluded in $IGNORE_CERTS; do
	if [[ "$domain" = *$excluded* ]]; then
		excluded=1
		break
	fi
	done
	if [ $excluded == 1 ]; then
		continue
	fi
	# the certificate is in base64 encoded
	# parse the NotAfter into unix timestamp
	notAfter=$(jq < config_letsencrypt_acme.json -r '.["letsencrypt-tls"] | .Certificates[] | select(.domain.main == "'''$domain'''" ) | .certificate | @base64d' | openssl x509 -noout -text | grep "Not After" | awk -F'Not After : ' '{print $2}' | { read gmt; date -jf '%b %e %H:%M:%S %Y %Z' +'%s' "$gmt"; })
	# calc diff to now
	delta=$(( ($notAfter - $now) / 60/60/24 ))
	if [[ $delta < 0 ]]; then
		# expired
		echo -en "$C_RED"
	elif [[ $delta < 20 ]]; then
		# renew asap / soon
		echo -en "$C_ORANGE"
	elif [[ $delta < 60 ]]; then
		# renew in sight
		echo -en "$C_PURPLE"
	else
		# valid for more then 60 days
		echo -en "$C_GREEN"
	fi
	printf "$fmt" "$domain" "$notAfter" "$(date -r $notAfter)" "$delta days"
	echo -en "$C_RESET"
done