How to Verify DNS and SSL After a Cutover in GitHub Actions
A cutover can point DNS at the new release but leave TLS misconfigured, so verify both name resolution and certificate validity before trusting the endpoint.
Use dig to confirm the record resolves to the expected target and openssl s_client to check the certificate is valid and not expiring soon.
Steps
- Resolve the hostname with
dig +shortand check the expected target. - Fetch the leaf certificate with
openssl s_client. - Assert the cert is not expiring within your threshold.
Workflow
.github/workflows/ci.yml
- name: Verify DNS and TLS
env: { HOST: app.example.com }
run: |
dig +short "$HOST" | tee /tmp/dns
test -s /tmp/dns || { echo "DNS did not resolve"; exit 1; }
END=$(echo | openssl s_client -servername "$HOST" -connect "$HOST:443" 2>/dev/null \
| openssl x509 -noout -enddate | cut -d= -f2)
echo "cert expires: $END"
if ! openssl s_client -servername "$HOST" -connect "$HOST:443" </dev/null 2>/dev/null \
| openssl x509 -noout -checkend 604800; then
echo "cert expires within 7 days"; exit 1
fiGotchas
- DNS TTL means propagation lags; poll
digrather than checking once right after the change. openssl x509 -checkend <seconds>returns non-zero when the cert expires within that window.
Related guides
How to Verify a Blue-Green Cutover in GitHub ActionsVerify the green environment in GitHub Actions before switching traffic in a blue-green deploy, then confirm…
How to Verify a CDN Cache Was Purged After Deploy in GitHub ActionsVerify a CDN cache purge took effect after a deploy in GitHub Actions by checking cache headers and asset has…