There was a need to be able to check SSL certs for certain set of web services / site out of a central point without the having the actual cert.
To do this, I made use of openssl s_client functionality.
The below script takes a single parameter, the hostname:port and does the validation.
The script has 4 timing checks so it needs to be run every day to be able to catch the actual certificate expiration time.
Once it detects an expiring cert, it will send out an email given that sendmail is configured on the server that runs it.
[root@Beren check_certs]# cat check_certs.sh
#set -x
Check_CERTs ()
{
TARGET="$1"
TEST_DATE31=`date "+%b %e %T %Y %Z" -d "+31 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE21=`date "+%b %e %T %Y %Z" -d "+21 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE11=`date "+%b %e %T %Y %Z" -d "+11 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE03=`date "+%b %e %T %Y %Z" -d "+3 day" |tr -s " "|cut -d" " -f1,2,4`
SSL_TEST_CMD=" echo |openssl s_client -connect ${TARGET} 2>/dev/null|openssl x509 -inform pem -noout -text |grep \"Not After :\" |
cut -d\":\" -f2-|tr -s \" \"|cut -d\" \" -f2,3,5"
SSL_EXP_DATE=`bash -c "${SSL_TEST_CMD}"`
##SSL_EXP_DATE="Feb 9 2017"
echo $SSL_EXP_DATE
if [ "$SSL_EXP_DATE" == "$TEST_DATE31" ]
then
echo "31 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE21" ]
then
echo "21 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE11" ]
then
echo "11 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE03" ]
then
echo "3 days left"
fi
#End of the shell function.
}
#Main code:
CERT_TIME=`Check_CERTs "${1}"|grep left`
if [ -n "$CERT_TIME" ]
then
echo "Sending Email"
/usr/sbin/sendmail.sendmail -i -t << ENDL
From: "Script Cert Alert"
To: <sherif.abdelfattah@live.com>
Subject: CERT Expiration WaRNing
Please check the SSL Certs installed on ${1} !!
The certificate is about to expire !!
${CERT_TIME}
Please take action ASAP.
ENDL
fi[root@Beren check_certs]#
The script uses Linux gnu date, that can take a time string using -d option, also we make use of the %e which uses space padded days of the month similar to OpenSSL command date format.
Also note the use of the "echo |openssl" construct, this prevents openssl command from waiting for further input thus, we can run it from a script.
To do this, I made use of openssl s_client functionality.
The below script takes a single parameter, the hostname:port and does the validation.
The script has 4 timing checks so it needs to be run every day to be able to catch the actual certificate expiration time.
Once it detects an expiring cert, it will send out an email given that sendmail is configured on the server that runs it.
[root@Beren check_certs]# cat check_certs.sh
#set -x
Check_CERTs ()
{
TARGET="$1"
TEST_DATE31=`date "+%b %e %T %Y %Z" -d "+31 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE21=`date "+%b %e %T %Y %Z" -d "+21 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE11=`date "+%b %e %T %Y %Z" -d "+11 day" |tr -s " "|cut -d" " -f1,2,4`
TEST_DATE03=`date "+%b %e %T %Y %Z" -d "+3 day" |tr -s " "|cut -d" " -f1,2,4`
SSL_TEST_CMD=" echo |openssl s_client -connect ${TARGET} 2>/dev/null|openssl x509 -inform pem -noout -text |grep \"Not After :\" |
cut -d\":\" -f2-|tr -s \" \"|cut -d\" \" -f2,3,5"
SSL_EXP_DATE=`bash -c "${SSL_TEST_CMD}"`
##SSL_EXP_DATE="Feb 9 2017"
echo $SSL_EXP_DATE
if [ "$SSL_EXP_DATE" == "$TEST_DATE31" ]
then
echo "31 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE21" ]
then
echo "21 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE11" ]
then
echo "11 days left"
elif [ "$SSL_EXP_DATE" == "$TEST_DATE03" ]
then
echo "3 days left"
fi
#End of the shell function.
}
#Main code:
CERT_TIME=`Check_CERTs "${1}"|grep left`
if [ -n "$CERT_TIME" ]
then
echo "Sending Email"
/usr/sbin/sendmail.sendmail -i -t << ENDL
From: "Script Cert Alert"
To: <sherif.abdelfattah@live.com>
Subject: CERT Expiration WaRNing
Please check the SSL Certs installed on ${1} !!
The certificate is about to expire !!
${CERT_TIME}
Please take action ASAP.
ENDL
fi[root@Beren check_certs]#
The script uses Linux gnu date, that can take a time string using -d option, also we make use of the %e which uses space padded days of the month similar to OpenSSL command date format.
Also note the use of the "echo |openssl" construct, this prevents openssl command from waiting for further input thus, we can run it from a script.
No comments:
Post a Comment