summaryrefslogtreecommitdiff
path: root/source/n/openssl/certwatch
blob: d52dc3dc4a1a3cfa871ef5b288552086892d7ed8 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/bin/sh
#
# Will check all certificates stored in $CERTDIR for their expiration date,
# and will display (if optional "stdout" argument is given), or mail a warning
# message to $MAILADDR (if script is executed without any parameter
# - unattended mode suitable for cron execution) for each particular certificate
# that is about to expire in time less to, or equal to $DAYS after this script
# has been executed, or if it has already expired.
# This stupid script (C) 2006,2007 Jan Rafaj

########################## CONFIGURATION SECTION BEGIN #########################
# Note: all settings are mandatory
# Warning will be sent if a certificate expires in time <= days given here
DAYS=7
# E-mail address where to send warnings
MAILADDR=root
# Directory with certificates to check
CERTDIR=/etc/ssl/certs
# Directory where to keep state files if this script isnt executed with "stdout"
STATEDIR=/var/run
########################### CONFIGURATION SECTION END ##########################

PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAY_IN_SECS=$((60*60*24))
DATE_CURRENT=$(date '+%s')

usage()
{
  echo "Usage: $0 [stdout]"
  echo
  echo "Detailed description and configuration is embedded within the script."
  exit 0
}

message()
{
  cat << EOF
    WARNING: certificate $certfile
    is about to expire in time equal to or less than $DAYS days from now on,
    or has already expired - it might be a good idea to obtain/create new one.

EOF
}

message_mail()
{
  message
  cat << EOF
    NOTE: This message is being sent only once.

    A lock-file
    $STATEDIR/certwatch-mailwarning-sent-$certfilebase
    has been created, which will prevent this script from mailing you again
    upon its subsequent executions by crond. You dont need to care about it;
    the file will be auto-deleted as soon as you'll prolong your certificate.
EOF
}

unset stdout
case $# in
  0) ;;
  1) if   [ "$1" = "-h" -o "$1" == "--help" ]; then
       usage
     elif [ "$1" = "stdout" ]; then
       stdout=1
     else
       usage
     fi
     ;;
  *) usage ;;
esac

for dir in $STATEDIR $CERTDIR ; do
  if [ ! -d $dir ]; then
    echo "ERROR: directory $dir does not exist"
    exit 1
  fi
done
for binary in basename date find grep mail openssl touch ; do
  if [ ! \( -x /usr/bin/$binary -o -x /bin/$binary \) ]; then
    echo "ERROR: /usr/bin/$binary not found"
    exit 1
  fi
done

find $CERTDIR -type f -maxdepth 1 | while read certfile ; do
  if [ "$certfile" != "/etc/ssl/certs/ca-certificates.crt" ]; then
  certfilebase="$(basename "$certfile")"
  inform=PEM
  echo "$certfile" | grep -q -i '\.net$'
  if [ $? -eq 0 ]; then
    # This is based purely on filename extension, so may give false results.
    # But lets assume noone uses NET format certs today, ok?
    continue
  fi
  echo "$certfile" | grep -q -i '\.der$'
  if [ $? -eq 0 -o "$(file "$certfile" | egrep '(ASCII|PEM)')" == "" ]; then
    inform=DER
  fi
  # We wont use '-checkend' since it is not properly documented (as of
  # OpenSSL 0.9.8e).
  DATE_CERT_EXPIRES=$(openssl x509 -in "$certfile" -inform $inform -noout -enddate | sed 's/^notAfter=//')
  DATE_CERT_EXPIRES=$(date -d"$DATE_CERT_EXPIRES" +%s)
  if [ $(($DATE_CERT_EXPIRES - $DATE_CURRENT)) -le $(($DAYS * $DAY_IN_SECS)) ]
  then
    if [ $stdout ]; then
      message
    else
      if [ ! -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
        subject="$0: certificate $certfile expiration warning"
        message_mail | mail -r "certwatch@$HOSTNAME" \
                            -s "$subject" \
                            $MAILADDR 2>/dev/null
        # echo "Mail about expiring certificate $certfile sent to $MAILADDR."
        # echo "If you need to send it again, please remove lock-file"
        # echo "$STATEDIR/certwatch-mailwarning-sent-$certfilebase ."
        # echo
      fi
      touch $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
    fi
  else
    if [ ! $stdout ]; then
      if [ -f $STATEDIR/certwatch-mailwarning-sent-"$certfilebase" ]; then
        rm $STATEDIR/certwatch-mailwarning-sent-"$certfilebase"
      fi
    fi
  fi
  fi
done