Finding an expired certificate

I had a strange issue today regarding a particular expired certificate on a webserver. The problem was that the server in question was an nginx reverse proxy that proxied many domains and contained many hundreds of certificates. For various, um, “technical reasons”, I could not locate the exact cert that was bad. I only knew that one of them was. Normally the default .crt (which was causing the issue in this case) should be the first loaded nginx host. For one reason or another I still could not find it. I did know that date (it expired in September). Here is how I found it:

find / -type f -name "*.crt" -print -exec openssl x509 -enddate -in {} -noout \; | grep 'Sep' 

I shouldn’t have had to search / – the entire server and all attached volumes – but in this case I was a bit desperate. Note that the command line above actually hides (due to the grep for the date) the filename in question. Once I knew I had found a match I removed the pipe into grep, viewed all the results with less and found the problem.

Related tip that may have brought you here: nagios will not check sni for ssl domains unless you add “–sni” to the check_http line

Leave a comment

Your email address will not be published. Required fields are marked *