We recently started using Let’s Encrypt SSL certificates. These certificates have a validity of only 90 days, and we wanted a way to easily check the expiry dates of all our certificates.
Turns out, it’s really easy to do this with Go.
The crypto/tls Package
crypto/tls package provides a TLS 1.2 implementation. Among other things,
you can use it to establish a TLS connection and examine certificates. Connect
to a host, like
google.com, is as simple as:
Dial succeeds only if the server presents a valid certificate (self-signed
certificates will not work). Verifying that the name matches is another step,
which can be done like this:
This checks if the given name matches the Common Name or the Subject Alt Names
specified in the certificate. And finally, the certificate chain itself is
conn.ConnectionState().PeerCertificates. The server’s certificate
contains the expiry date we are interested in.
Here is a snippet (sans error checking) which can be used to get the expiry date of the certificate of an https site:
Not bad for 3 lines of code!
Rolling it into a command-line tool
We threw in error checking, timeouts and a couple of useful tidbits:
- Read the list of server names to check for from a file and as command-line arguments
- “Humanize” the expiry date with the nifty go-humanize
- ASCII art table
and rolled this into a command-line tool we named
That’s it! The code is available on GitHub, and you can go get it with:
Feel free to send us your feedback, suggestions and PRs!