Skip to content
Latchkey

How to Verify DNS and SSL After a Cutover in GitHub Actions

A cutover can point DNS at the new release but leave TLS misconfigured, so verify both name resolution and certificate validity before trusting the endpoint.

Use dig to confirm the record resolves to the expected target and openssl s_client to check the certificate is valid and not expiring soon.

Steps

  • Resolve the hostname with dig +short and check the expected target.
  • Fetch the leaf certificate with openssl s_client.
  • Assert the cert is not expiring within your threshold.

Workflow

.github/workflows/ci.yml
- name: Verify DNS and TLS
  env: { HOST: app.example.com }
  run: |
    dig +short "$HOST" | tee /tmp/dns
    test -s /tmp/dns || { echo "DNS did not resolve"; exit 1; }
    END=$(echo | openssl s_client -servername "$HOST" -connect "$HOST:443" 2>/dev/null \
      | openssl x509 -noout -enddate | cut -d= -f2)
    echo "cert expires: $END"
    if ! openssl s_client -servername "$HOST" -connect "$HOST:443" </dev/null 2>/dev/null \
      | openssl x509 -noout -checkend 604800; then
      echo "cert expires within 7 days"; exit 1
    fi

Gotchas

  • DNS TTL means propagation lags; poll dig rather than checking once right after the change.
  • openssl x509 -checkend <seconds> returns non-zero when the cert expires within that window.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →