Xymon Mailing List Archive search

SSL/TLS cert monitoring

list Vernon Everett
Sat, 2 Sep 2023 14:53:30 +0800
Message-Id: <user-bf7eb8fb8687@xymon.invalid>

It took a bit of faffing about, but it all came back to me. Eventually. :-)

Here it is, if it's of any use to you.
And if you spot any bugs, please give me a shout.

#!/bin/bash

export PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
export CERT_DIR='/etc/pki/tls/certs'
export EPOCH_DAY='86400'
export TODAY="$(date +%s)"
export STATUS='green'
export TEMPFILE=$BBTMP/localcert.$$

date > $TEMPFILE
# For every cert we have...
for CERT in $(find ${CERT_DIR}/*.crt)
do
  LCOL='green'
  EXPIRE=$(openssl x509 -in ${CERT} -noout -dates 2>/dev/null | awk
-F= '/^notAfter/ { print $2; exit }')
  EXP_EPOCH=`date -d"$EXPIRE" +%s`
  SECS2GO=`expr $EXP_EPOCH - $TODAY`
  DAYS2GO=`expr $SECS2GO / $EPOCH_DAY`
  if [ $DAYS2GO -le 30 -a $STATUS != "red" ]
  then
    export STATUS='yellow'
    LCOL='yellow'
  fi
  if [ $DAYS2GO -le 15 ]
  then
    export STATUS='red'
    LCOL='red'
  fi
  echo "&$LCOL Expires in $DAYS2GO days, on $EXPIRE  $CERT" >> $TEMPFILE
done
$XYMON $XYMSRV "status $MACHINE.localcerts $STATUS $(cat $TEMPFILE)"
rm $TEMPFILE 2>/dev/null


On Wed, 30 Aug 2023 at 18:21, Adam Thorn <user-f6b877930936@xymon.invalid> wrote:

On 30/08/2023 04:31, Vernon Everett wrote:
3. I have a few certs local to my client that I need to keep an eye on
too. But these are used by applications, and are not related to a web
page, so effectively I need to to keep tabs on /foo/bar/cert
Here's our perl script for doing this, though it uses a local
"SuperHobbit" perl module which manages loading config files so it's not
a case of just copy-pasting:

https://gitlab.developers.cam.ac.uk/-/snippets/238

As others have said, all that the script really does is run:

openssl x509 -in MY_CERTIFICATE.pem -noout -enddate

which'll output a single line like:

notAfter=Jul  4 23:59:59 2024 GMT

which is then parsed by perl's str2time() (other date parsing options
exist, of course. Thanks to Ralph for pointing out the -dateopt option
which I didn't know about, though unfortunately that's not available in
the version of openssl as provided by Ubuntu 20.04)

I looked quickly at reimplementing this in python using the standard
python 'crytography' package, but that started to open up cans of worms
around version dependencies and how we could make a suitable version of
the package available, so I've mentally stalled that idea for now.

Adam


-- 

"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton

"Don't find fault. Find a remedy"
- Henry Ford