Free SSL Certificate Expiry Checker for Solo Devs

As a solo developer, you wear many hats. You're the architect, the coder, the QA engineer, the DevOps guru, and often, the customer support department. With so much on your plate, it’s easy for something seemingly minor like an SSL/TLS certificate expiry to slip through the cracks. But when it does, it's never minor. Your site goes down, users see scary browser warnings, trust erodes, and your carefully built reputation takes a hit.

The good news is that you don't need a massive budget to keep an eye on your certificates. There are several free options available, ranging from quick manual checks to DIY automated scripts. While dedicated monitoring services offer unparalleled reliability and features, understanding these free alternatives is crucial for any solo dev looking to maintain uptime without breaking the bank. Let's dive into how you can keep your certificates fresh.

Why Bother with Expiry Monitoring? (Even for Solo Devs)

You might think, "It's just my small project, who cares?" But even for solo endeavors, an expired certificate can be catastrophic:

• Downtime and User Trust: When a certificate expires, browsers refuse to connect securely, displaying alarming warnings like "Your connection is not private." Most users will bail immediately, assuming your site is compromised or unprofessional.
• SEO Impact: Search engines like Google prioritize secure sites. An expired certificate can temporarily hurt your search rankings, making it harder for new users to find you.
• Service Interruptions: Beyond just websites, certificates secure APIs, internal services, VPNs, and more. An expired certificate on a backend service can bring your entire application to a halt.
• Lost Revenue: If your project involves any form of e-commerce or paid services, an expired certificate directly translates to lost sales and frustrated customers.
• Mental Overhead: The scramble to fix an expired certificate is stressful and takes away from valuable development time. Proactive monitoring turns a potential crisis into a non-event.

Especially with the proliferation of Let's Encrypt certificates, which expire every 90 days, the renewal cycle is much shorter than the old 1-2 year standard, making automated monitoring even more critical.

Command-Line Tools: Your First Line of Defense

For a quick, on-the-spot check, your terminal is your best friend. These tools are installed on most Linux/macOS systems and are invaluable for diagnosing certificate issues.

Using openssl s_client for Direct Checks

The openssl command-line utility is the Swiss Army knife for anything crypto-related. You can use it to connect to a server and extract certificate details, including the expiry date.

Here's how you can check the expiry of a public website:

openssl s_client -servername certfly.io -connect certfly.io:443 < /dev/null 2>/dev/null | openssl x509 -noout -enddate

Let's break that down: * openssl s_client: Initiates an SSL/TLS client connection. * -servername certfly.io: Specifies the Server Name Indication (SNI). This is crucial when a server hosts multiple domains with different certificates. * -connect certfly.io:443: Connects to the host certfly.io on port 443 (the standard HTTPS port). * < /dev/null 2>/dev/null: Suppresses input and redirects standard error to /dev/null to keep the output clean, as s_client tends to be very verbose. * | openssl x509 -noout -enddate: Pipes the certificate output to openssl x509, which then extracts just the "notAfter" (expiry) date.

The output will look something like this: notAfter=Dec 12 11:39:56 2024 GMT

Pitfalls of openssl s_client: * Manual Execution: You have to run this command yourself for each certificate you want to check. * Single Endpoint: It only checks the certificate presented by the specific host and port you connect to. If you have multiple subdomains or services, you need to run it for each. * Parsing Required: While it gives you the date, determining "days remaining" requires additional scripting to parse the date string and compare it to the current date. * Limited Scope: It doesn't tell you about the entire certificate chain, revocation status, or other deeper issues.

Checking Let's Encrypt Certificates with certbot

If you're using Certbot (the most common client for Let's Encrypt) to manage your certificates, it has a built-in command to list all certificates it manages and their expiry dates.

sudo certbot certificates

This command will output a table showing all the certificates managed by this specific Certbot installation, including their names, domains, and expiry dates.

Example output: ``` Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs: Certificate Name: example.com Domains: example.com www.example.com Expiry Date: 2024-03-20 10:30:00+00:00 (VALID: 29 days) Certificate Path: /etc/letsencrypt/live/example.com/fullchain.pem Certificate Name: api.example.com Domains: api.example.com Expiry Date: 2024-04-15 12:00:00+00:00 (VALID: 65 days) Certificate Path: /etc/letsencrypt/live/api.example.com/fullchain.pem