How to Monitor Let's Encrypt Certificate Expiry Dates

This blog post shows you how to locally monitor Let's Encrypt SSL certificates for expiration. We will write a shell script and run it daily via cron to do the job.

How to monitor Let's Encrypt SSL certificates expiration dates

What is Let's Encrypt?

Let's Encrypt is an open and automated certificate authority that uses the ACME protocol to provide free TLS/SSL certificates. If you have a website and want SSL certificates for free, you generate SSL certificates at Let's Encrypt and let your web server use them so you can use the secure https:// instead of http://.

I have used Let's Encrypt SSL certificates on my websites for years on my websites. They are very reliable and recognized on all major browsers.

Where's the catch?

This is not really a catch, but Let's Encrypt's SSL certificates have a lifetime of only 90 days. Before 90 days are completed, you have to renew the certificates. They have to be renewed every 90 days.

Let's Encrypt provides a tool called Certbot that makes it easy to create and renew SSL certificates. There are other tools that do the job. I just haven't tried any of the alternatives.

What about Let's Encrypt's email alerts?

Let's Encrypt traditionally sends out emails before SSL certificates expire, so you know when it's a good time to renew your SSL certificates.

However, I don't rely on Let's Encrypt's emails because I have my own bash scripts that run via cron to check and renew.

Let's Encrypt recently sent out an email saying that they will not send any more email notifications about your SSL certificates' expiration dates.

SUBJECT: Updates on Lets Encrypt Subscriber Agreement & Ending Expiration Notification

As a Let’s Encrypt Subscriber, you benefit from access to free, automated TLS certificates. One way we have supported Subscribers is by sending expiration notification emails when it’s time to renew a certificate.

We’re writing to inform you that we intend to discontinue sending expiration notification emails. You can learn more in this blog post. You will receive this reminder email again in the coming months:

https://letsencrypt.org/2025/01/22/Ending-Expiration-Emails
....

They also provided options on what to do:

Automate with an ACME Client that supports Automated Renewal Information (ARI). ARI enables us to automatically renew your certificates ahead of schedule should the need arise:

https://letsencrypt.org/2024/04/25/guide-to-integrating-ari-into-existing-acme-clients

Sign up for a third-party monitoring service that may provide expiration emails. We can recommend Red Sift Certificates Lite, which provides free expiration emails for up to 250 active certificates:

https://redsift.com/pulse-platform/certificates

However, if you want to run your own cronjob that monitors your local Let's Encrypt certificates, read on.

Find the path to your Let's Encrypt SSL certificate directories

Let's Encrypt typically stores the SSL certificates in domain directories under this directory.

/etc/letsencrypt/live/

Under that directories, you will see a directory for every domain name hosted by your web server and that's using Let's Encrypt.

For example, the SSL certificates for aruljohn.com are stored in the directory:

/etc/letsencrypt/live/aruljohn.com

The SSL certificate your web server will be using would be at this path. Just add a /cert.pem to the directory.

/etc/letsencrypt/live/aruljohn.com/cert.pem

It is a softlink to the actual certificate under the archive directory.

View created and expiration dates using the openssl command

Run this command on your Terminal to view the created and expiration dates of your SSL certificates.

openssl x509 -noout -dates -in /etc/letsencrypt/live/aruljohn.com/cert.pem

Your output will be similar to this:

notBefore=Jan 20 17:07:10 2025 GMT
notAfter=Apr 20 17:07:09 2025 GMT

The expiration date is the date following the key notAfter=, which in this case is Apr 20 17:07:09 2025 GMT.

Extract the expiration date using openssl with grep, awk and cut

Now, we will refine this command to get only the expiration date. Run this:

openssl x509 -noout -dates -in /etc/letsencrypt/live/aruljohn.com/cert.pem | grep notAfter | awk '{print $1,$2,$4}' | cut -b 10-

Your output will be similar to this:

Apr 20 2025

Bash script to print expiration dates for all certificates

Now, we will write a bash script to read all the directory names under the Let's Encrypt directory, each corresponding to a domain. It will then check the expiration date for each certificate. And, email the output to your email.

This bash script will reside on your web hosting server. You should be having your Let's Encrypt SSL certificates on the same server.

NOTE: To get the email to work, you have to install and configure the mail program first.

Let us name this bash script as checkcerts.sh.

#!/bin/bash

#
# Check SSL certificate expiration date
#
# By Arul John
#

mesg=""
email="arulsutilities@gmail.com" # REPLACE THIS WITH YOUR EMAIL ADDRESS

for domain in /etc/letsencrypt/live/*/cert.pem ; do
    expiry=`openssl x509 -noout -dates -in ${domain}  | grep notAfter | awk '{print $1,$2,$4}' | cut -b 10-`
    domain=$(echo $domain | cut -d'/' -f 5)
    mesg="${domain} expiry ${expiry} \n${mesg}"
done

# Print the domains and their expiration dates
echo -e $mesg

# Email the above to your email
echo -e $mesg | mail -s "Domain Expiry" $email

This will print each domain name expiration dates and send this list to your email.

Add this to your cron job

Now, let us make it run weekly, say every Sunday at 6:15am.

Run this command:

crontab -e

It opens the default editor.

Add this at the last line.

15     6    *   *   0  /PATH-TO/checkcerts.sh 2>&1

Save and quit. The next Sunday at 6:15am, you should get an email with the expiry date of all the domains using Let's Encrypt SSL certificates in your server.

Conclusion

Hope this blog post helped you with setting up your Let's Encrypt SSL certificate monitoring.

Thanks for reading.

Related Posts

If you have any questions, please contact me at arulbOsutkNiqlzziyties@gNqmaizl.bkcom. You can also post questions in our Facebook group. Thank you.