Keep Your Certificates Current Using Cron & Dead Man's Snitch

Don't let expirations surprise you.

Photo © AJS Pimentel. Licensed under Creative Commons. https://flic.kr/p/SHUw8F

In 2015 I wrote about Keep Your Certificates Current Using Your Test Suite. That’s still good but has a couple problems that bug me:

  1. It can block development. Suddenly, your test suite is red until you fix these certificates, even though you have a week to fix it.
  2. It can block deployment. If you require green tests to deploy, suddenly you can’t deploy and don’t know why (I’ve been bit by this).
    I still like getting notifed of certificates that are due to expire, so let’s come up with something even better. Leveraging cron and Dead Man’s Snitch.

I’m working on an app today that has four certificates, all for Apple Push Notifications (APNS). They’re all in a folder config/certificates

Step 1: Build a rake task

Here’s a rake task I wrote up in Ruby to check each certificate:

task :check_certificates do
  expiring = []
  path = Rails.root.join("config/certs/*.pem")

  Dir.glob(path).each do |file|
    certificate = OpenSSL::X509::Certificate.new(File.read(file))
    if certificate.not_after.to_time <= 1.week.from_now
      expiring << file
    end
  end

  if expiring.any?
    # abort is more graceful than raising an exception
    # it also gives us a non-zero status code
    # which is useful for Dead Man's Snitch
    abort "Certificate(s) will expire in less than 1 week: #{expiring.join(", ")}"
  end
end

Step 2: Add it to cron

Using cron, I run this task once per day. For example, if I wanted it run at 7am every day, my crontab entry might look like this:

# Every day at 11:00AM UTC (7:00AM EST)
# https://cron.help/#0_11_*_*_*
0 11 * * * bundle exec rake check_certificates

Step 3: Get Notified with Dead Man’s Snitch

I’m assuming you already know how to use Dead Man’s Snitch to get alerted when something doesn’t happen. If not, go read the Getting Started documentation.

The most common way to use Dead Man’s Snitch for cron job monitoring is to add a curl to the end:

# Every day at 11:00AM UTC (7:00AM EST)
# https://cron.help/#0_11_*_*_*
0 11 * * * bundle exec rake check_certificates && curl http://nosnch.in/c2354d53d2 &> /dev/null

I’m going to go a step farther and use Dead Man’s Snitch’s Field Agent. That way I get notified immediately, and get other great stuff like error messages.

# Every day at 11:00AM UTC (7:00AM EST)
# https://cron.help/#0_11_*_*_*
0 11 * * * dms c2354d53d2 bundle exec rake check_certificates

That’s it! Now when my certificates are a week away from expiration, my team will get notified through Dead Man’s Snitch and I can fix them.

Have a different method you like for tracking expiration? Let me know in the comments.

Photo of Daniel Morrison

About Daniel Morrison

Daniel founded Collective Idea in 2005 to put a name to his growing and already full-time freelance work. He works hard writing code, teaching, and mentoring.

Comments

  1. zah_zane25@yahoo.com
    jik
    September 05, 2019 at 17:06 PM

    Wow amazing!

By Daniel Morrison

Labels

In this article

Dead Man’s Snitch — A dead simple cron job monitoring tool. Visit deadmanssnitch.com

Other Recent Posts