Created
January 24, 2021 02:51
-
-
Save BlackthornYugen/62fa358f79d9e7248e997ccbeaf11472 to your computer and use it in GitHub Desktop.
Send email if a server isn't using the latest certificate.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -e | |
DAYS_BEFORE_EMAIL=21 | |
TO_ADDR="Joe <joe@example.com>" | |
BCC_ADDR="Demo <demo@example.com>" | |
find ~/.acme.sh -name '*cer' | tee certs_to_check.txt | |
# usage $0 {NEW_CERT} {OLD_CERT} | |
function email() { | |
CERT_NAME="`basename $1`" | |
CERT_EXPIRE_DATE="`openssl x509 -in $2 -enddate -noout | sed 's/notAfter=//' | date --file=-`" | |
CERT_DAYS_UNTIL_EXPIRE=$(( ($(date --date="${CERT_EXPIRE_DATE}" +%s) - $(date +%s) ) / 60 / 60 / 24 )) | |
CERT_PEM="`openssl x509 -text -in $1`" | |
printf "To: %s \nBcc: %s \nSubject: %s expires in %s days. \nContent-Type: text/html \n" "$TO_ADDR" "$BCC_ADDR" "$CERT_NAME" "$CERT_DAYS_UNTIL_EXPIRE" | |
printf "<h1>%s</h1>\n\n" "$CERT_NAME" | |
printf "%s will expire on %s. See below for the latest certifiate for this domain issued on server: \n\n<pre>\n%s\n</pre>" "$CERT_NAME" "$CERT_EXPIRE_DATE" "$CERT_PEM" | |
printf "<h1>Certificate Status</h1><p>The following is the status of all renewals on %s for %s.</p>\n<pre>%s</pre>" "`hostname --fqdn`" "$USER" "`~/.acme.sh/acme.sh list`" | |
} | |
while read CERT_FILE | |
do | |
SERVER_NAME=`basename $CERT_FILE` | |
printf "Checking to see if %s will expire in the next %s days... " "${SERVER_NAME}" "$DAYS_BEFORE_EMAIL" | |
openssl s_client -servername ${SERVER_NAME} -connect ${SERVER_NAME}:443 < /dev/null 2> /dev/null | tee ${SERVER_NAME}.current.pem | \ | |
openssl x509 -noout -checkend $((60 * 60 * 24 * ${DAYS_BEFORE_EMAIL})) || email $CERT_FILE ${SERVER_NAME}.current.pem | tee last-mail-${SERVER_NAME}.txt | sendmail -t | |
sleep 0.3 | |
done < certs_to_check.txt | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I am using acme.sh to generate certs. Here's what an example email looks like, I've set to 90 days notice for testing and added it to my crontab to run daily.