Bash script to check SSL certificate expiry

I recently had to update certificates across 40 services. The rollout was handled by tools like Terraform and Ansible, but I wanted a quick script to validate that the new certificate is being used.

This openssl command allows us to fetch the certificate and print its expiry details

> openssl s_client -connect some-https-address.com:443 2>/dev/null | openssl x509 -noout -dates 2>/dev/null

notBefore=Feb 15 07:00:15 2023 GMT
notAfter=Feb 10 04:34:00 2024 GMT

The benefit of this over curl -vI is that it works against services that aren't https such as RabbitMQ, and Redis.

This script iterates through my list of hostname:port combinations, checks the certificate expiry and prints the details.

#!/bin/bash

# List the hostname and port of SSL certificates to check
targets=(
    some-https-address.com:443
    some-rabbitmq-address.com:5671
    some-redis-address.com:6379
)

# Set which year you're looking for
# In this scenario I'm checking that my new certificate has been applied
# previous cert expires 2023, new cert expired 2024
desired_year="2024"

# Colors for output
green="\e[32m"
red="\e[31m"
yellow="\e[33m"
restore_color="\e[0m"

for target in ${targets[@]}; do
    result=$(echo | openssl s_client -connect $target 2>/dev/null | openssl x509 -noout -dates 2>/dev/null)
    if [ $? -eq 0 ]; then
        not_after=$(echo $result | awk -F' ' '{print $9}')
        if [ $? -eq 0  ]; then
            (echo "$not_after" | grep "$desired_year") 1>/dev/null
            if [ $? -eq 0 ]; then
                echo -e "$green$target,$not_after$restore_color"
            else
                echo -e "$yellow$target,$not_after$restore_color"
            fi
        else
            echo -e "$red$target,notAfter string not found$restore_color"
        fi
    else
        echo -e "$red$target,failed to connect$restore_color"
    fi

done

Green for good, Yellow for 'not updated', and Red for some error such as incorrect port number.

example output