W dniu 2017-09-13 o 22:11, Viktor Dukhovni pisze: >> On Sep 13, 2017, at 3:43 PM, Łukasz Wąsikowski <luk...@wasikowski.net> wrote: >> >>> See below for OpenSSL 1.0.2 or later. Earlier versions don't >>> have the "-verify_hostname" option, you can delete it if you >>> like, and omit that part of the certificate check, in which >>> case the code will also work for OpenSSL 1.0.1 and earlier >>> (which are EOL). >> >> https://github.com/matteocorti/check_ssl_cert works great. I'm using it >> to check my local / remote HTTP/SMTP/IMAP certificate expiry dates. > > That's certainly a lot more features. I can't easily verify that > all the checks are correct in a script of that size, so caveat > emptor. > > Its expiration time verification is based in parsing certificate > dates rather than asking "openssl verify" to do a future verification. > This is less robust, because it can miss expiration of intermediate > certificates, when they happen to expire before the leaf certificate > (perhaps a failure to install the most recent intermediate issuer). > > My short script certainly won't come close to matching that Swiss- > army-knife on features, but it may do the one thing that it does > more correctly.
I've sent link to this thread to check_ssl_cert author, I hope your advice will find a way to check_ssl_cert. -- best regards, Lukasz Wasikowski
