#!/bin/bash host=$1 port=$2 cert=$(echo | openssl s_client -connect "$host":"$port" -servername "$host" 2>/dev/null | openssl x509) issuer_hash=$(echo "$cert" | openssl x509 -noout -issuer_hash) not_after=$(echo "$cert" | openssl x509 -noout -dates | grep '^notAfter=') if [[ -z "$cert" ]] || [[ -z "$issuer_hash" ]] || [[ -z "$not_after" ]] then echo "UNKNOWN - Could not retrieve certificate! [$host:$port]" exit 3 fi warn_days=60 crit_days=30 case "$issuer_hash" in # 4f06f81d: issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 # 8d33f237: issuer=C = US, O = Let's Encrypt, CN = R3 # 462422cf: issuer=C = US, O = Let's Encrypt, CN = E5 # 9aad238c: issuer=C = US, O = Let's Encrypt, CN = E6 # 31dfb39d: issuer=C = US, O = Let's Encrypt, CN = R11 # aa578057: issuer=C = US, O = Let's Encrypt, CN = R10 4f06f81d|8d33f237|462422cf|9aad238c|31dfb39d|aa578057) warn_days=10 crit_days=3 ;; esac if ! echo "$cert" | openssl x509 -noout -checkend 0 >/dev/null 2>&1 then echo "CRITICAL - Certificate has expired! [$host:$port] [$not_after]" exit 2 elif ! echo "$cert" | openssl x509 -noout -checkend $((86400 * crit_days)) >/dev/null 2>&1 then echo "CRITICAL - Certificate will expire really soon: [$host:$port] [$not_after]" exit 2 elif ! echo "$cert" | openssl x509 -noout -checkend $((86400 * warn_days)) >/dev/null 2>&1 then echo "WARNING - Certificate will expire soon: [$host:$port] [$not_after]" exit 1 fi echo "OK - [$host:$port] [$not_after]" exit 0