Thursday, 19 January 2017

WebSite SSL cert. check script

There was a need to be able to check SSL certs for certain set of web services / site out of a central point without the having the actual cert.
To do this, I made use of openssl s_client functionality.

The below script takes a single parameter, the hostname:port and does the validation.
The script has 4 timing checks so it needs to be run every day to be able to catch the actual certificate expiration time.
Once it detects an expiring cert, it will send out an email given that sendmail is configured on the server that runs it.

[root@Beren check_certs]# cat check_certs.sh
#set -x

Check_CERTs ()
{
TARGET="$1"
TEST_DATE31=`date "+%b %e %T %Y %Z" -d "+31 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE21=`date "+%b %e %T %Y %Z" -d "+21 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE11=`date "+%b %e %T %Y %Z" -d "+11 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE03=`date "+%b %e %T %Y %Z" -d "+3 day" |tr -s " "|cut -d" " -f1,2,4`

SSL_TEST_CMD=" echo |openssl s_client -connect ${TARGET} 2>/dev/null|openssl x509 -inform pem -noout -text |grep \"Not After :\" |
cut -d\":\" -f2-|tr -s \" \"|cut -d\" \" -f2,3,5"

SSL_EXP_DATE=`bash -c "${SSL_TEST_CMD}"`

##SSL_EXP_DATE="Feb 9 2017"

echo $SSL_EXP_DATE

if [ "$SSL_EXP_DATE" == "$TEST_DATE31" ]
then
    echo "31 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE21" ]
then
        echo "21 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE11" ]
then
        echo "11 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE03" ]
then
        echo "3 days left"
fi
 

#End of the shell function.
}


#Main code:

CERT_TIME=`Check_CERTs "${1}"|grep left`

if [ -n "$CERT_TIME" ]
then

echo "Sending Email"

/usr/sbin/sendmail.sendmail -i -t << ENDL
From: "Script Cert Alert"
To: <sherif.abdelfattah@live.com>
Subject: CERT Expiration WaRNing

Please check the SSL Certs installed on ${1} !!
The certificate is about to expire !!
${CERT_TIME}


Please take action ASAP.

ENDL

fi
[root@Beren check_certs]#

The script uses Linux gnu date, that can take a time string using -d option, also we make use of the %e which uses space padded days of the month similar to OpenSSL command date format.
Also note the use of the "echo |openssl" construct, this prevents openssl command from waiting for further input thus, we can run it from a script.


Wednesday, 11 January 2017

A simple script to check Redis Cluster

Below is a simple script around the redis-cli tool that aims to give info about a replica cluster and to identify the redis master node.
This can be a simple fast check for redis.

Below is the script:

[redis@feanor]$ cat check_redis.sh
echo " "
REDIS_BIN=.
echo "Getting Master Info from Sentinel"

MASTER_IP=`$REDIS_BIN/redis-cli -p 9000 info sentinel | grep "master0:name=mymaster"|cut -d"," -f3|cut -d"=" -f2|cut -d":" -f1`
MASTER_PORT=`$REDIS_BIN/redis-cli -p 9000 info sentinel | grep "master0:name=mymaster"|cut -d"," -f3|cut -d"=" -f2|cut -d":" -f2`
MASTER_STATUS=`$REDIS_BIN/redis-cli -p 9000 info sentinel | grep "master0:name=mymaster"|cut -d"," -f2|cut -d"=" -f2`
MASTER_HOSTNAME=`nslookup $MASTER_IP|grep "name = " |cut -d"=" -f2`

echo "Master IP is: $MASTER_IP"
echo "Master Port is: $MASTER_PORT"
echo "Master Hostname is: $MASTER_HOSTNAME"
echo "Master Status is:  $MASTER_STATUS"
echo " "
echo "Replication info from Master:"
$REDIS_BIN/redis-cli -h $MASTER_IP -p $MASTER_PORT info replication
[redis@feanor]$


In this case Redis-server runs on port 7000 and Redis-Sentinel on port 9000.

I have allowed the script to extract the port form sentinel output as at times we have more than one Redis instance running on the same VM, thus using same IP but different port.