ops: add gitea tls handoff and expiry check

scripts/verify/README.md

@@ -39,6 +39,7 @@ One-line install (Debian/Ubuntu): `sudo apt install -y sshpass rsync dnsutils ip
 - `check-deployer-balance-blockscout-vs-rpc.sh` - Compare deployer native balance from Blockscout API vs RPC (to verify index matches current chain); see [EXPLORER_AND_BLOCKSCAN_REFERENCE](../../docs/11-references/EXPLORER_AND_BLOCKSCAN_REFERENCE.md)
 - `check-dependencies.sh` - Verify required tools (bash, curl, jq, openssl, ssh)
 - `check-cluster-besu-inventory.sh` - Cluster-wide Besu inventory audit using `pvesh /cluster/resources` via a Proxmox cluster node so host placement on `r630-03` / `r630-04` is not missed. Prints VMID, type, node, status, name, IP, canonical-vs-extra classification, and any missing canonical VMIDs. Use `--json` for machine-readable output.
+- `check-gitea-certificate-expiry.sh` - Read-only TLS expiry check for `gitea.d-bis.org` (or another host passed as arg). Exits `0` when outside the warning window, `1` when within `WARN_DAYS` (default `14`), and `2` on expiry or probe failure.
 - `check-pnpm-workspace-lockfile.sh` - Ensures every path in `pnpm-workspace.yaml` has an `importer` in `pnpm-lock.yaml` (run `pnpm install` at root if it fails; avoids broken `pnpm outdated -r`)
 - `export-cloudflare-dns-records.sh` - Export Cloudflare DNS records
 - `export-npmplus-config.sh` - Export NPMplus proxy hosts and certificates via API

scripts/verify/check-gitea-certificate-expiry.sh

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+HOST="${1:-gitea.d-bis.org}"
+PORT="${PORT:-443}"
+WARN_DAYS="${WARN_DAYS:-14}"
+TIMEOUT_SECS="${TIMEOUT_SECS:-15}"
+
+if ! [[ "$WARN_DAYS" =~ ^[0-9]+$ ]]; then
+  echo "ERROR: WARN_DAYS must be an integer, got: $WARN_DAYS" >&2
+  exit 2
+fi
+
+if ! command -v openssl >/dev/null 2>&1; then
+  echo "ERROR: openssl is required" >&2
+  exit 2
+fi
+
+if ! command -v python3 >/dev/null 2>&1; then
+  echo "ERROR: python3 is required" >&2
+  exit 2
+fi
+
+echo "Checking TLS certificate expiry for ${HOST}:${PORT}"
+
+cert_text="$(
+  timeout "$TIMEOUT_SECS" openssl s_client -servername "$HOST" -connect "${HOST}:${PORT}" </dev/null 2>/dev/null \
+    | openssl x509 -noout -issuer -subject -dates
+)"
+
+if [[ -z "$cert_text" ]]; then
+  echo "ERROR: could not read certificate from ${HOST}:${PORT}" >&2
+  exit 2
+fi
+
+not_after="$(printf '%s\n' "$cert_text" | sed -n 's/^notAfter=//p')"
+issuer="$(printf '%s\n' "$cert_text" | sed -n 's/^issuer=//p')"
+subject="$(printf '%s\n' "$cert_text" | sed -n 's/^subject=//p')"
+
+if [[ -z "$not_after" ]]; then
+  echo "ERROR: certificate did not include notAfter" >&2
+  exit 2
+fi
+
+days_left="$(
+  python3 - "$not_after" <<'PY'
+import sys
+from datetime import datetime, timezone
+
+not_after = sys.argv[1].strip()
+expiry = datetime.strptime(not_after, "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+now = datetime.now(timezone.utc)
+delta = expiry - now
+print(delta.total_seconds() / 86400)
+PY
+)"
+
+days_left_int="$(python3 - "$days_left" <<'PY'
+import math
+import sys
+
+print(math.floor(float(sys.argv[1])))
+PY
+)"
+
+echo "Issuer:  ${issuer}"
+echo "Subject: ${subject}"
+echo "Expiry:  ${not_after}"
+echo "Days left: ${days_left_int}"
+
+if (( days_left_int < 0 )); then
+  echo "CRITICAL: certificate for ${HOST} already expired" >&2
+  exit 2
+fi
+
+if (( days_left_int < WARN_DAYS )); then
+  echo "WARNING: certificate for ${HOST} expires in fewer than ${WARN_DAYS} days" >&2
+  exit 1
+fi
+
+echo "OK: certificate expiry is outside the ${WARN_DAYS}-day warning window"