summaryrefslogtreecommitdiff
path: root/patches/source/openssl/certwatch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/openssl/certwatch')
-rw-r--r--patches/source/openssl/certwatch130
1 files changed, 130 insertions, 0 deletions
diff --git a/patches/source/openssl/certwatch b/patches/source/openssl/certwatch
new file mode 100644
index 00000000..d52dc3dc
--- /dev/null
+++ b/patches/source/openssl/certwatch
@@ -0,0 +1,130 @@
+#!/bin/sh
+#
+# Will check all certificates stored in $CERTDIR for their expiration date,
+# and will display (if optional "stdout" argument is given), or mail a warning
+# message to $MAILADDR (if script is executed without any parameter
+# - unattended mode suitable for cron execution) for each particular certificate
+# that is about to expire in time less to, or equal to $DAYS after this script
+# has been executed, or if it has already expired.
+# This stupid script (C) 2006,2007 Jan Rafaj
+
+########################## CONFIGURATION SECTION BEGIN #########################
+# Note: all settings are mandatory
+# Warning will be sent if a certificate expires in time <= days given here
+DAYS=7
+# E-mail address where to send warnings
+MAILADDR=root
+# Directory with certificates to check
+CERTDIR=/etc/ssl/certs
+# Directory where to keep state files if this script isnt executed with "stdout"
+STATEDIR=/var/run
+########################### CONFIGURATION SECTION END ##########################
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAY_IN_SECS=$((60*60*24))
+DATE_CURRENT=$(date '+%s')
+
+usage()
+{
+ echo "Usage: $0 [stdout]"
+ echo
+ echo "Detailed description and configuration is embedded within the script."
+ exit 0
+}
+
+message()
+{
+ cat << EOF
+ WARNING: certificate $certfile
+ is about to expire in time equal to or less than $DAYS days from now on,
+ or has already expired - it might be a good idea to obtain/create new one.
+
+EOF
+}
+
+message_mail()
+{
+ message
+ cat << EOF
+ NOTE: This message is being sent only once.
+
+ A lock-file
+ $STATEDIR/certwatch-mailwarning-sent-$certfilebase
+ has been created, which will prevent this script from mailing you again
+ upon its subsequent executions by crond. You dont need to care about it;
+ the file will be auto-deleted as soon as you'll prolong your certificate.
+EOF
+}
+
+unset stdout
+case $# in
+ 0) ;;
+ 1) if [ "$1" = "-h" -o "$1" == "--help" ]; then
+ usage
+ elif [ "$1" = "stdout" ]; then
+ stdout=1
+ else
+ usage
+ fi
+ ;;
+ *) usage ;;
+esac
+
+for dir in $STATEDIR $CERTDIR ; do
+ if [ ! -d $dir ]; then
+ echo "ERROR: directory $dir does not exist"
+ exit 1
+ fi
+done
+for binary in basename date find grep mail openssl touch ; do
+ if [ ! \( -x /usr/bin/$binary -o -x /bin/$binary \) ]; then
+ echo "ERROR: /usr/bin/$binary not found"
+ exit 1
+ fi
+done
+
+find $CERTDIR -type f -maxdepth 1 | while read certfile ; do
+ if [ "$certfile" != "/etc/ssl/certs/ca-certificates.crt" ]; then
+ certfilebase="$(basename "$certfile")"
+ inform=PEM
+ echo "$certfile" | grep -q -i '\.net$'
+ if [ $? -eq 0 ]; then
+ # This is based purely on filename extension, so may give false results.
+ # But lets assume noone uses NET format certs today, ok?
+ continue
+ fi
+ echo "$certfile" | grep -q -i '\.der$'
+ if [ $? -eq 0 -o "$(file "$certfile" | egrep '(ASCII|PEM)')" == "" ]; then
+ inform=DER
+ fi
+ # We wont use '-checkend' since it is not properly documented (as of
+ # OpenSSL 0.9.8e).
+ DATE_CERT_EXPIRES=$(openssl x509 -in "$certfile" -inform $inform -noout -enddate | sed 's/^notAfter=//')
+ DATE_CERT_EXPIRES=$(date -d"$DATE_CERT_EXPIRES" +%s)
+ if [ $(($DATE_CERT_EXPIRES - $DATE_CURRENT)) -le $(($DAYS * $DAY_IN_SECS)) ]
+ then
+ if [ $stdout ]; then
+ message
+ else
+ if [ ! -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
+ subject="$0: certificate $certfile expiration warning"
+ message_mail | mail -r "certwatch@$HOSTNAME" \
+ -s "$subject" \
+ $MAILADDR 2>/dev/null
+ # echo "Mail about expiring certificate $certfile sent to $MAILADDR."
+ # echo "If you need to send it again, please remove lock-file"
+ # echo "$STATEDIR/certwatch-mailwarning-sent-$certfilebase ."
+ # echo
+ fi
+ touch $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
+ fi
+ else
+ if [ ! $stdout ]; then
+ if [ -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
+ rm $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
+ fi
+ fi
+ fi
+ fi
+done
+