#!/usr/bin/env bash
# scripts/cert-check.sh
# For each host in HOSTS, fetch the leaf cert via openssl s_client and
# warn if it expires in less than THRESHOLD_DAYS.
set -euo pipefail
HERE="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=/dev/null
. "${HERE}/lib/log.sh"
THRESHOLD_DAYS="${THRESHOLD_DAYS:-14}"
HOSTS=(
"auth.home.arpa:443"
"jellyfin.home.arpa:443"
"gitea.home.arpa:443"
"grafana.home.arpa:443"
"prometheus.home.arpa:443"
"home.example.net:443"
)
probe() {
local hostport="$1" host="${1%:*}"
local end_line end_ts now_ts days
end_line=$(openssl s_client -servername "${host}" -connect "${hostport}" \
-showcerts </dev/null 2>/dev/null \
| openssl x509 -noout -enddate 2>/dev/null || true)
if [[ -z "${end_line}" ]]; then
log_err "FAIL ${hostport} cannot fetch cert"
return 1
fi
end_ts=$(date -d "${end_line#notAfter=}" +%s 2>/dev/null || echo 0)
if (( end_ts == 0 )); then
log_err "FAIL ${hostport} bad expiry field"
return 1
fi
now_ts=$(date +%s)
days=$(( (end_ts - now_ts) / 86400 ))
if (( days < 0 )); then
log_err "EXPIRED ${hostport} ${days}d"
elif (( days < THRESHOLD_DAYS )); then
log_warn "SOON ${hostport} ${days}d"
else
log_info "OK ${hostport} ${days}d"
fi
}
for hp in "${HOSTS[@]}"; do
probe "${hp}" || true
done