According to the documentation openssl x509 -checkend should exit with a non-zero exit code if the certificate is about to expire. With openssl 3.6 this is no longer true:

openssl x509 -enddate -checkend $(expr 180 \* 86400) -in $CERT && echo 'no expire'
notAfter=Nov 14 23:59:59 2025 GMT
Certificate will expire
no expire

with openssl 3.5 (Debian 13, same certificate)

openssl x509 -enddate -checkend $(expr 180 \* 86400) -in $CERT  && echo 'no expire'
notAfter=Nov 14 23:59:59 2025 GMT
Certificate will expire

It looks this was introduced in Commit dca67c0 (APPS/x509: add -multi option for outputting all certs found in input). After checking the expiration and setting the return code, a jump to end_cert_loop occurs where the return code is reset to 0 (line 1134)

Maybe -checkend shouldn't be usable together with -multi at all? Then this would be easy to fix by jumping to end instead.