ah ha, I see how "Require TLS for all operations" didn't get turned on for a few key servers, a good reason for the effort, now to start back tracking why it is off for some of those other systems.
Not likely surprises either, I've cronned checkcerts.pl for some clients, each once a week on two different OES boxes at different ends of the network to email the results which has been a great headache saver. that way of one box fails, I still get the other one and its warnings.
very extendable, and worth exploring for any of us. this is how I've grown my bash and perl scripting. doesn't make me a real dev, but helps in those day to day things.
Andy of KonecnyConsulting.ca in Toronto
Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.