checkcert/checkcert.pl

#! /usr/bin/perl

# check certs of the form
#
# www.lehmann.cx:443
# irc.libera.chat:6697
# xmpp.hmm.st:5223
#
# only direct TLS connects work, STARTTLS does not currently
#
# for ports that are not standard or are not covered by the port list below, you can add the protocol line after a space
# like irc.server:6698 quit
#
# Typically you would put the program into a cronjob that runs once a day
#
# perl checkcert.pl domains.txt
#

#
# by alexlehm/at/gmail.com
#

use strict;
use Date::Parse;

# warn time is 15 days before expiry
my @time=localtime(time()+15*24*60*60);

my $warntime=sprintf "%04d-%02d-%02d", $time[5]+1900, $time[4]+1, $time[3];

@time=localtime(time());
my $expiretime=sprintf "%04d-%02d-%02d %02d:%02d:%02d", $time[5]+1900, $time[4]+1, $time[3], $time[2], $time[1], $time[0];

while(<>) {
    chop;

    next if /^#/;
    next if /^$/;
    
    my $line=$_;
    my ($host, $request);
    if($line=~/ /) {
	$line=~/([^ ]+) (.+)/;
	$host=$1;
	$request=$2;
    } else {
	$host=$line;
	my $port="";
	if($host=~/.*:(.*)/) {
	    $port=$1;
	}
	$request="";

	# figure out some standard ports
	$request="quit" if $port==6697;
	$request="quit" if $port==465;
	$request="<xml/>" if $port==5223;
	$request="gemini://$host/" if $port==1965;
	
	$request="GET / HTTP/1.0\n\n" if $request eq "";
    }

    open(PIPE, "echo \"$request\" | openssl s_client -connect $host 2>/dev/null | openssl x509 -noout -enddate -in - 2>/dev/null |");
    my $notafter=<PIPE>;
    close PIPE;

    $notafter =~ s/notAfter=//;

    my ($ss,$mm,$hh,$day,$month,$year,$zone) = strptime($notafter);

    $year+=1900;
    $month++;
    
    my $time=sprintf "%04d-%02d-%02d %02d:%02d:%02d", $year,$month,$day,$hh,$mm,$ss;
    
    if($time le $expiretime) {
	print "$host $time (expired)\n";
    }
    elsif($time le $warntime) {
	print "$host $time\n";
    }
}