10 context = OpenSSL::SSL::SSLContext.new
11 context.verify_mode = OpenSSL::SSL::VERIFY_NONE
14 socket = TCPSocket.new(address, 443)
16 ssl = OpenSSL::SSL::SSLSocket.new(socket, context)
18 ssl.hostname = domains.first
20 rescue StandardError => e
21 puts "Error connecting to #{host}: #{e.message}"
25 certificate = ssl.peer_cert
27 if Time.now < certificate.not_before
28 puts "Certificate #{domains.first} on #{host} not valid until #{certificate.not_before}"
29 elsif certificate.not_after - Time.now < 21 * 86400
30 puts "Certificate #{domains.first} on #{host} expires at #{certificate.not_after}"
33 subject_alt_name = certificate.extensions.find { |ext| ext.oid == "subjectAltName" }
35 if subject_alt_name.nil?
36 puts "Certificate #{domains.first} on #{host} has no subjectAltName"
38 alt_names = subject_alt_name.value.split(/\s*,\s*/).map { |n| n.sub(/^DNS:/, "") }
40 domains.each do |domain|
41 if alt_names.include?(domain)
42 alt_names.delete(domain)
44 puts "Certificate #{domains.first} on #{host} is missing subjectAltName #{domain}"
48 alt_names.each do |name|
49 puts "Certificate #{domains.first} on #{host} has unexpected subjectAltName #{name}"