Keep Your Certificates Current Using Cron & Dead Man's Snitch

Don't let expirations surprise you.

Photo © AJS Pimentel. Licensed under Creative Commons. https://flic.kr/p/SHUw8F

In 2015 I wrote about Keep Your Certificates Current Using Your Test Suite. That’s still good but has a couple problems that bug me:

  1. It can block development. Suddenly, your test suite is red until you fix these certificates, even though you have a week to fix it.
  2. It can block deployment. If you require green tests to deploy, suddenly you can’t deploy and don’t know why (I’ve been bit by this).
    I still like getting notifed of certificates that are due to expire, so let’s come up with something even better. Leveraging cron and Dead Man’s Snitch.

I’m working on an app today that has four certificates, all for Apple Push Notifications (APNS). They’re all in a folder config/certificates

Step 1: Build a rake task

Here’s a rake task I wrote up in Ruby to check each certificate:

task :check_certificates do
  expiring = []
  path = Rails.root.join("config/certs/*.pem")

  Dir.glob(path).each do |file|
    certificate = OpenSSL::X509::Certificate.new(File.read(file))
    if certificate.not_after.to_time <= 1.week.from_now
      expiring << file
    end
  end

  if expiring.any?
    # abort is more graceful than raising an exception
    # it also gives us a non-zero status code
    # which is useful for Dead Man's Snitch
    abort "Certificate(s) will expire in less than 1 week: #{expiring.join(", ")}"
  end
end

Step 2: Add it to cron

Using cron, I run this task once per day. For example, if I wanted it run at 7am every day, my crontab entry might look like this:

# Every day at 11:00AM UTC (7:00AM EST)
# https://cron.help/#0_11_*_*_*
0 11 * * * bundle exec rake check_certificates

Step 3: Get Notified with Dead Man’s Snitch

I’m assuming you already know how to use Dead Man’s Snitch to get alerted when something doesn’t happen. If not, go read the Getting Started documentation.

The most common way to use Dead Man’s Snitch for cron job monitoring is to add a curl to the end:

# Every day at 11:00AM UTC (7:00AM EST)
# https://cron.help/#0_11_*_*_*
0 11 * * * bundle exec rake check_certificates && curl http://nosnch.in/c2354d53d2 &> /dev/null

I’m going to go a step farther and use Dead Man’s Snitch’s Field Agent. That way I get notified immediately, and get other great stuff like error messages.

# Every day at 11:00AM UTC (7:00AM EST)
# https://cron.help/#0_11_*_*_*
0 11 * * * dms c2354d53d2 bundle exec rake check_certificates

That’s it! Now when my certificates are a week away from expiration, my team will get notified through Dead Man’s Snitch and I can fix them.

Have a different method you like for tracking expiration? Let me know in the comments.

Photo of Daniel Morrison

Daniel founded Collective Idea in 2005 to put a name to his growing and already full-time freelance work. He works hard writing code, teaching, and mentoring.

Comments

Add a Comment

Hmm...that didn't work.

Something went wrong while adding your comment. If you don't mind, please try submitting it again.

Comment Added!

Your comment has been added to this post. Please refresh this page to view it.

Optional. If added, we will display a link to the website in your comment.
Optional. Never shared or displayed in your comment.