Keep Your Certificates Current Using Cron & Dead Man's Snitch

Don't let expirations surprise you.

Photo © AJS Pimentel. Licensed under Creative Commons.

In 2015 I wrote about Keep Your Certificates Current Using Your Test Suite. That’s still good but has a couple problems that bug me:

  1. It can block development. Suddenly, your test suite is red until you fix these certificates, even though you have a week to fix it.
  2. It can block deployment. If you require green tests to deploy, suddenly you can’t deploy and don’t know why (I’ve been bit by this).
    I still like getting notifed of certificates that are due to expire, so let’s come up with something even better. Leveraging cron and Dead Man’s Snitch.

I’m working on an app today that has four certificates, all for Apple Push Notifications (APNS). They’re all in a folder config/certificates

Step 1: Build a rake task

Here’s a rake task I wrote up in Ruby to check each certificate:

task :check_certificates do
  expiring = []
  path = Rails.root.join("config/certs/*.pem")

  Dir.glob(path).each do |file|
    certificate =
    if certificate.not_after.to_time <= 1.week.from_now
      expiring << file

  if expiring.any?
    # abort is more graceful than raising an exception
    # it also gives us a non-zero status code
    # which is useful for Dead Man's Snitch
    abort "Certificate(s) will expire in less than 1 week: #{expiring.join(", ")}"

Step 2: Add it to cron

Using cron, I run this task once per day. For example, if I wanted it run at 7am every day, my crontab entry might look like this:

# Every day at 11:00AM UTC (7:00AM EST)
0 11 * * * bundle exec rake check_certificates

Step 3: Get Notified with Dead Man’s Snitch

I’m assuming you already know how to use Dead Man’s Snitch to get alerted when something doesn’t happen. If not, go read the Getting Started documentation.

The most common way to use Dead Man’s Snitch for cron job monitoring is to add a curl to the end:

# Every day at 11:00AM UTC (7:00AM EST)
0 11 * * * bundle exec rake check_certificates && curl &> /dev/null

I’m going to go a step farther and use Dead Man’s Snitch’s Field Agent. That way I get notified immediately, and get other great stuff like error messages.

# Every day at 11:00AM UTC (7:00AM EST)
0 11 * * * dms c2354d53d2 bundle exec rake check_certificates

That’s it! Now when my certificates are a week away from expiration, my team will get notified through Dead Man’s Snitch and I can fix them.

Have a different method you like for tracking expiration? Let me know in the comments.

Photo of Daniel Morrison

Daniel founded Collective Idea in 2005 to put a name to his growing and already full-time freelance work. He works hard writing code, teaching, and mentoring.


    September 05, 2019 at 17:06 PM

    Wow amazing!