Check your SSL Certificate validity for free with GitHub

I stand for shorter SSL certificate lifespans.

A recent vote that was taken by all the tech giants, that assert complete and utter dominance over all of us online, unanimously agreed that we needed reduce the life expectancy of SSL certificates. As much of a pain in the ass this is, I am a huge fan. Let me tell you why:

We’ve used public key cryptography to prove identity, establish trust and prove legitimacy of websites since the 70s. We use a public key cryptography when we SSH into the production server while we’re on holiday at the beach and the boss needs to fix a typo. We use it to sign an email when we want to prove that we wrote it. We use it to encrypt those files that we don’t want anyone to ever see immediately after we clear our browser history. And most commonly we are aware of it when the pesky browser always tells us that we’re visiting an insecure site that we end up bypassing - the SSL certificate.

The SSL certificate’s primary role is to keep all data going between you and the server it is installed on encrypted. It is the reason why you type in the same password with reckless abandon when you register on every site online. If there was no SSL certificate, then anyone eavesdropping on your network, or the network that the website is on can see your username and password. Anyway, the SSL certificate will move from a maximum validity period of 398 days all the way down to 47 days. This will take place in the period between March 2026 until March 2029.

This announcement, coupled with Let’s Encrypt’s announcement that they will no longer send email reminders to renew your certificate, made me meander into action. I didn’t want to sign up and use a third party service so I wrote a little command line utility to check the validity of my SSL certificates. I called it expirybot and I was pleased. I wanted to just stick this into one of my server crontabs and be done with it, but then I got creative. How about rather solving just my problem I make this a bit more accessible, I thought. I therefore decided to make a GitHub Action which anyone could fork and use for their own domains. Thus was born the SSL Cert Checker GitHub workflow. I know right? The skill with which I name my projects beggars belief.

To monitor when your SSL certs need to be renewed, fork the repo (if you don’t mind having your monitored domains visible publicly) or just clone and push to a new private repo of yours to keep away those prying eyes. Then edit the domains.txt file in the repo and put in all your domains with SSL certificates that you want to monitor and push to your repo. The GitHub Action will run every day at 8am UTC. You can also trigger the action yourself manually. The format of the domains.txt if just one domain to monitor on each line. Optionally, you can add a comma and a number after the domain. This number is a threshold number of days. If your certificate has less than the number of threshold days left to expire, then you will get an alert. The default for this is 14 days. When a threshold is triggered, the action will create an Issue on the repo. If you subscribe to notifications, then you will get an email alert for the issue creation and then you have a full on, unattended SSL certificate validity checker for absolutely free.

You can obviously change the notification mechanism (I personally use the free tier of Mailgun/Sinch to send me an email directly) to either email directly, send a Slack message, etc. Whatever floats your boat. Do write me and let me know the most creative ways you get your notifications. If I particularly like yours and you happen to be in Singapore, I’ll buy you a beer.