#!/usr/bin/ruby require "socket" require "openssl" host = ARGV.shift address = ARGV.shift domains = ARGV context = OpenSSL::SSL::SSLContext.new context.verify_mode = OpenSSL::SSL::VERIFY_NONE begin socket = TCPSocket.new(address, 443) ssl = OpenSSL::SSL::SSLSocket.new(socket, context) ssl.sync_close = true ssl.hostname = domains.first ssl.connect rescue StandardError => error puts "Error connecting to #{host}: #{error.message}" end if ssl certificate = ssl.peer_cert if Time.now < certificate.not_before puts "Certificate #{domains.first} on #{host} not valid until #{certificate.not_before}" elsif certificate.not_after - Time.now < 21 * 86400 puts "Certificate #{domains.first} on #{host} expires at #{certificate.not_after}" end subject_alt_name = certificate.extensions.find { |e| e.oid == "subjectAltName" } if subject_alt_name.nil? puts "Certificate #{domains.first} on #{host} has no subjectAltName" else alt_names = subject_alt_name.value.split(/\s*,\s*/).map { |n| n.sub(/^DNS:/, "") } domains.each do |domain| if alt_names.include?(domain) alt_names.delete(domain) else puts "Certificate #{domains.first} on #{host} is missing subjectAltName #{domain}" end end alt_names.each do |name| puts "Certificate #{domains.first} on #{host} has unexpected subjectAltName #{name}" end end ssl.close end