cookbooks/letsencrypt/files/default/bin/check-certificate

   1 #!/usr/bin/ruby
   2
   3 require "net/http"
   4
   5 domain = ARGV.first
   6
   7 begin
   8   connection = Net::HTTP.start(domain, :use_ssl => true)
   9   certificate = connection.peer_cert
  10
  11   if Time.now < certificate.not_before
  12     puts "Certificate #{domain} not valid until #{certificate.not_before}"
  13   elsif certificate.not_after - Time.now < 14 * 86400
  14     puts "Certificate #{domain} expires at #{certificate.not_after}"
  15   else
  16     subject_alt_name = certificate.extensions.find { |e| e.oid == "subjectAltName" }
  17
  18     if subject_alt_name.nil?
  19       puts "Certificate #{domain} has no subjectAltName"
  20     else
  21       alt_names = subject_alt_name.value.split(/\s*,\s*/).sort
  22
  23       ARGV.sort.each do |expected|
  24         puts "Certificate #{domain} is missing subjectAltName #{expected}" unless alt_names.shift == "DNS:#{expected}"
  25       end
  26
  27       alt_names.each do |name|
  28         puts "Certificate #{domain} has unexpected subjectAltName #{name}"
  29       end
  30     end
  31   end
  32
  33   connection.finish
  34 rescue StandardError => error
  35   puts "Error connecting to #{domain}: #{error.message}"
  36 end