Skip to content

Instantly share code, notes, and snippets.

Created January 7, 2016 22:53
Show Gist options
  • Save ryansb/d8c333eb4a74168474c4 to your computer and use it in GitHub Desktop.
Save ryansb/d8c333eb4a74168474c4 to your computer and use it in GitHub Desktop.
Check expiring certificates
import datetime
import logging
import socket
import ssl
logger = logging.getLogger()
ssl_date_fmt = r'%b %d %H:%M:%S %Y %Z'
class AlreadyExpired(Exception):
def ssl_expires_in(hostname, buffer_days=14):
"""Gets the SSL cert from a given hostname and checks if it expires within buffer_days days"""
context = ssl.create_default_context()
conn = context.wrap_socket(
# 3 second timeout because Lambda has runtime limitations
conn.connect((hostname, 443))
ssl_info = conn.getpeercert()
expires = datetime.datetime.strptime(ssl_info['notAfter'], ssl_date_fmt)
# if the cert expires in less than two weeks, we should reissue it
if expires < (datetime.datetime.utcnow() + datetime.timedelta(days=buffer_days)):
# expires sooner than the buffer
return True
elif expires < datetime.datetime.utcnow():
# cert has already expired - uhoh!
raise AlreadyExpired("Cert expired at %s" % ssl_info['notAfter'])
# everything is fine
return False
def lambda_handler(event, context):
if not ssl_expires_in(YOUR_DOMAIN, WARNING_BUFFER):"SSL certificate doesn't expire for a while - you're set!")
return {"success": True, "cert_status": "valid"}
logger.warning("SSL certificate expires soon")
return {"success": True, "cert_status": "expiring soon"}
except AlreadyExpired as e:
logger.exception("Certificate is expired, get worried!")
return {"success": True, "cert_status": "expired"}
except Exception as e:
logger.exception("Failed to get certificate info")
return {"success": False, "cert_status": "unknown"}
Copy link

bockor commented Jan 26, 2020

may I ask what the lambda_handler provides in this snippet ? I don't get it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment