Add cert_status script

Displays useful informations about the existing certificates.

README.md

@@ -168,13 +168,21 @@ If you want to create test certificates that don't have the 5 certs/week/domain
 Every hour (3600 seconds) the certificates are checked and every certificate that will expire in the next [30 days](https://github.com/kuba/simp_le/blob/ecf4290c4f7863bb5427b50cdd78bc3a5df79176/simp_le.py#L72) (90 days / 3) are renewed.
 
 ##### Force certificates renewal
-
 If needed, you can force a running letsencrypt-nginx-proxy-companion container to renew all certificates that are currently in use. Replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container in the following command:
 
 ```bash
 $ docker exec nginx-letsencrypt /app/force_renew
 ```
 
+##### Force certificates renewal
+To display informations about your existing certificates, use the following command:
+
+```bash
+$ docker exec nginx-letsencrypt /app/cert_status
+```
+
+As for the forced renewal command, replace `nginx-letsencrypt` with the name of your letsencrypt-nginx-proxy-companion container.
+
 ##### ACME account keys
 By default the container will save the first ACME account key created for each ACME API endpoint used, and will reuse it for all subsequent authorizations and issuances requests made to this endpoint. This behavior is enabled by default to avoid running into Let's Encrypt account [rate limits](https://letsencrypt.org/docs/rate-limits/).
 

app/cert_status

@@ -0,0 +1,58 @@
+#!/bin/bash
+function print_cert_info {
+  local enddate
+  local subject
+  local san_str
+
+  # Get the wanted informations with OpenSSL.
+  issuer="$(openssl x509 -noout -issuer -in "$1" | sed -n 's/.*CN=\(.*\)/\1/p')"
+  enddate="$(openssl x509 -noout -enddate -in "$1" | sed -n 's/notAfter=\(.*$\)/\1/p')"
+  subject="$(openssl x509 -noout -subject -in "$1" | sed -n 's/.*CN=\([a-z0-9.-]*\)/- \1/p')"
+  san_str="$(openssl x509 -text -in "$1" | grep 'DNS:')"
+
+  echo "Certificate was issued by $issuer"
+  echo "Certificate is valid until $enddate"
+  echo "Subject Name:"
+  echo "$subject"
+
+  # Display the SAN info only if there is more than one SAN domain.
+  while IFS=',' read -ra SAN; do
+      if [[ ${#SAN[@]} -gt 1 ]]; then
+          echo "Subject Alternative Name:"
+          for domain in "${SAN[@]}"; do
+              echo "$domain" | sed -n 's/.*DNS:\([a-z0-9.-]*\)/- \1/p'
+          done
+      fi
+  done <<< "$san_str"
+}
+
+echo '##### Certificate status #####'
+for cert in /etc/nginx/certs/*/fullchain.pem; do
+    [[ -e "$cert" ]] || continue
+    # Verify the certificate with OpenSSL.
+    openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert"
+
+    # Print certificate info.
+    print_cert_info "$cert"
+
+    # Find the .crt files in /etc/nginx/certs which are
+    # symlinks pointing to the current certificate.
+    unset symlinked_domains
+    for symlink in /etc/nginx/certs/*.crt; do
+        [[ -e "$symlink" ]] || continue
+        if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
+            domain="$(echo "${symlink%.crt}" | sed 's#/etc/nginx/certs/##g')"
+            symlinked_domains+=("$domain")
+        fi
+    done
+
+    # Display symlinks pointing to the current cert if there is any.
+    if [[ ${#symlinked_domains[@]} -gt 0 ]]; then
+        echo "Certificate is used by the following domain(s):"
+        for domain in "${symlinked_domains[@]}"; do
+          echo "- $domain"
+        done
+    fi
+
+    echo '##############################'
+done