Skip to content

Instantly share code, notes, and snippets.

@BlackthornYugen
Created January 24, 2021 02:51
Show Gist options
  • Save BlackthornYugen/62fa358f79d9e7248e997ccbeaf11472 to your computer and use it in GitHub Desktop.
Save BlackthornYugen/62fa358f79d9e7248e997ccbeaf11472 to your computer and use it in GitHub Desktop.
Send email if a server isn't using the latest certificate.
#!/usr/bin/env bash
set -e
DAYS_BEFORE_EMAIL=21
TO_ADDR="Joe <joe@example.com>"
BCC_ADDR="Demo <demo@example.com>"
find ~/.acme.sh -name '*cer' | tee certs_to_check.txt
# usage $0 {NEW_CERT} {OLD_CERT}
function email() {
CERT_NAME="`basename $1`"
CERT_EXPIRE_DATE="`openssl x509 -in $2 -enddate -noout | sed 's/notAfter=//' | date --file=-`"
CERT_DAYS_UNTIL_EXPIRE=$(( ($(date --date="${CERT_EXPIRE_DATE}" +%s) - $(date +%s) ) / 60 / 60 / 24 ))
CERT_PEM="`openssl x509 -text -in $1`"
printf "To: %s \nBcc: %s \nSubject: %s expires in %s days. \nContent-Type: text/html \n" "$TO_ADDR" "$BCC_ADDR" "$CERT_NAME" "$CERT_DAYS_UNTIL_EXPIRE"
printf "<h1>%s</h1>\n\n" "$CERT_NAME"
printf "%s will expire on %s. See below for the latest certifiate for this domain issued on server: \n\n<pre>\n%s\n</pre>" "$CERT_NAME" "$CERT_EXPIRE_DATE" "$CERT_PEM"
printf "<h1>Certificate Status</h1><p>The following is the status of all renewals on %s for %s.</p>\n<pre>%s</pre>" "`hostname --fqdn`" "$USER" "`~/.acme.sh/acme.sh list`"
}
while read CERT_FILE
do
SERVER_NAME=`basename $CERT_FILE`
printf "Checking to see if %s will expire in the next %s days... " "${SERVER_NAME}" "$DAYS_BEFORE_EMAIL"
openssl s_client -servername ${SERVER_NAME} -connect ${SERVER_NAME}:443 < /dev/null 2> /dev/null | tee ${SERVER_NAME}.current.pem | \
openssl x509 -noout -checkend $((60 * 60 * 24 * ${DAYS_BEFORE_EMAIL})) || email $CERT_FILE ${SERVER_NAME}.current.pem | tee last-mail-${SERVER_NAME}.txt | sendmail -t
sleep 0.3
done < certs_to_check.txt
@BlackthornYugen
Copy link
Author

I am using acme.sh to generate certs. Here's what an example email looks like, I've set to 90 days notice for testing and added it to my crontab to run daily.

cert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment