Skip to content

Instantly share code, notes, and snippets.

@knalli
Last active May 16, 2024 11:01
Show Gist options
  • Save knalli/5cac1d4d7dff32993166567e9214a53b to your computer and use it in GitHub Desktop.
Save knalli/5cac1d4d7dff32993166567e9214a53b to your computer and use it in GitHub Desktop.
List all certificate expiry dates of Traefik's acme.json
#!/bin/bash
## usage
## ./check_traefik_acme.sh < acme.json
## optionally define IGNORE_CERTS with a list of ignoreable certs
ACME_JSON=${1:-/dev/stdin}
IGNORE_CERTS=${IGNORE_CERTS-}
C_RESET='\033[0m'
C_RED='\033[0;31m'
C_GREEN='\033[0;32m'
C_ORANGE='\033[0;33m'
C_PURPLE='\033[0;35m'
fmt="%-70s%-20s%-30s%-12s\n"
domains=$(jq < "$ACME_JSON" -r '.["letsencrypt-tls"] | .Certificates[].domain.main')
now=$(date +'%s')
for domain in $domains; do
excluded=0
for excluded in $IGNORE_CERTS; do
if [[ "$domain" = *$excluded* ]]; then
excluded=1
break
fi
done
if [ $excluded == 1 ]; then
continue
fi
# the certificate is in base64 encoded
# parse the NotAfter into unix timestamp
notAfter=$(jq < config_letsencrypt_acme.json -r '.["letsencrypt-tls"] | .Certificates[] | select(.domain.main == "'''$domain'''" ) | .certificate | @base64d' | openssl x509 -noout -text | grep "Not After" | awk -F'Not After : ' '{print $2}' | { read gmt; date -jf '%b %e %H:%M:%S %Y %Z' +'%s' "$gmt"; })
# calc diff to now
delta=$(( ($notAfter - $now) / 60/60/24 ))
if [[ $delta < 0 ]]; then
# expired
echo -en "$C_RED"
elif [[ $delta < 20 ]]; then
# renew asap / soon
echo -en "$C_ORANGE"
elif [[ $delta < 60 ]]; then
# renew in sight
echo -en "$C_PURPLE"
else
# valid for more then 60 days
echo -en "$C_GREEN"
fi
printf "$fmt" "$domain" "$notAfter" "$(date -r $notAfter)" "$delta days"
echo -en "$C_RESET"
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment