On 05/02/13 10:23, Joachim Breitner wrote: > Hi, > > today I was thinking about implementing a similar tool, and uploading it > to Debian. I’d done a few things differently: > * I’d simply process all certificates found in /etc, i.e. every file > called .pem or .crt that seems to be a SSL certificate. This way, certs > used by mail and jabber servers are also found. > * I’d send a report only if any cert is about to expire, but in that > case, send one mail containing every cert that is about to expire; > likely several certs expire together. And just for good measure, the > report would include the times to expiration for all found certs, to > give the admin a better overview of what certs are there (and what certs > are found). > * I’d include a nagios-check-compatible invocation as well. > * I’d not run a daily check for things that expire in a month; weekly > sounds more useful here. > > If these would be added to certwatch I’d be interested in maintaining > them for Debian. > > Greetings, > Joachim > I have a shell script that I have been using for a while on my servers with success. I drop it on /etc/cron.weekly and configure the directories to scan and the mail address to send the notifications. It just checks the certificates that are going to expire in the next 30 days (with openssl) and sends a warning. I attach it here, just in case you or anybody else find it useful. Regards!
#! /bin/bash
#
# Designed to be run weekly and send mail reports for certificates going
# to expire in the next 30 days.
#
# Configure the variables mailto, includedirs and excludedirs and drop
# it into /etc/cron.weekly
#
# -- Carlos Alberto Lopez Perez <clopez@igalia.com>
#
#
set -o noclobber
# Where to send warnings
mailto="root"
# Directories to search for certificates
includedirs=("/etc/ssl/certs" "/etc/openvpn")
# Subdirectories to exclude
excludedirs=("/etc/openvpn/ssl/newcerts")
_mail () {
tag=${1}
shift 1
echo -e "${@}" |\
mail -s "[${tag}] Certification Expiration Notice on $(hostname)" \
"${mailto}"
if [[ $? -ne 0 ]]; then
# Print a warning for cron.
echo "FATAL ERROR sending mail. Script ${0} on host $(hostname)"
echo "Message was ::"
echo -e "${@}"
exit 1
fi
}
_include () {
for idir in ${includedirs[@]}; do
[[ -d "${idir}" ]] && echo -n "${idir} "
done
}
_exclude () {
for edir in ${excludedirs[@]}; do
[[ -d "${edir}" ]] && echo -n "! -path '${edir}*' "
done
}
for file in $(eval find $(_include) $(_exclude) ! -type d); do
if [[ -L "${file}" ]]; then
# If the file is a symbolic link to another file on the same directory
# We skip it
readlink "${file}" | grep -q '/' || continue
fi
# Check that is a valid certificate
if file -bL $"{file}" | grep -q "PEM certificate" || grep -q "BEGIN CERTIFICATE" "${file}"; then
expiredate=$(openssl x509 -text -noout < ${file}|grep "Not After :"| head -n1| cut -d: -f2-)
echo "${expiredate}" | egrep -q '\w{3} [ :0-9]{11} [._[:alnum:]-]+' || \
_mail "ERROR" "Unable to parse date: \"${expiredate}\" on file ${file}"
warningepoch=$(date +%s -d "${expiredate} - 30 days")
expireepoch=$(date +%s -d "${expiredate}")
todayepoch=$(date +%s)
if [[ ${todayepoch} -ge ${warningepoch} ]] && [[ ${expireepoch} -ge ${todayepoch} ]]; then
_mail "WARNING" \
"The following certificate is going to expire: \n\n" \
"Certificate: ${file}\n" \
"Expiration: ${expiredate}\n" \
"Left: $(( $(( ${expireepoch} - ${todayepoch} )) / 86400 )) days\n"
fi
fi
doneAttachment:
signature.asc
Description: OpenPGP digital signature