How do I check when a Database's SSL certificate expires?

Retrieving information about a Database’s SSL certificate can be accomplished using the same tools that you’d use to retrieve any website’s certificate from the command line. The main difference is how you connect to the Database since, unlike websites, it’s not publicly accessible over the internet.

The simplest way to connect to the Database is to create a Database Tunnel from your local computer. Then you can use an SSL client such as openssl to retrieve the certificate.

For Redis Database tunnels SSL must be explicity enabled by setting the tunnel’s --type to redis+ssl e.g.

aptible db:tunnel $DB_HANDLE --type redis+ssl

The following openssl command should work for all Database types except MySQL and PostgreSQL.

echo | openssl s_client -connect$TUNNEL_PORT 2>/dev/null | openssl x509 -noout -dates

Which will print something along the lines of.

notBefore=Jan 27 00:00:00 2018 GMT
notAfter=Feb  2 23:59:59 2021 GMT

MySQL and PostgreSQL handle encryption in a way that openssl does not support by default so the above method cannot be used. However, unlike other Database types, Databases of these two types generate a new certificate whenever they are reloaded or restarted. This certificate is valid for several years so there is very little chance that the certificate will expire before the Database is restarted.