Created
February 26, 2022 10:02
-
-
Save Rillke/0b2a6a8553cb45a0062a7bf63fe9f24f to your computer and use it in GitHub Desktop.
Check a leaf SSL server certificate presented by a specified host on a specified port.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| if [ -z "${1+x}" ] || [ -z "${2+x}" ] | |
| then | |
| echo "Check a leaf ssl server certificate presented by a specified host" | |
| echo "on a specified port." | |
| echo "Expect exit code 0 upon success, non-zero otherwise." | |
| echo "" | |
| echo "Checks that" | |
| echo " - the server is reachable" | |
| echo " - the certificate presented is valid for the host and purpose" | |
| echo " - the certificate won't expire within 1 month" | |
| echo "" | |
| echo "Usage:" | |
| echo " $0 host port" | |
| echo "" | |
| echo "Example:" | |
| echo " $0 example.com 443 [CA_File]" | |
| exit | |
| fi | |
| tmp=/tmp | |
| ccr=cert-chain-resolver | |
| tools=('wget' 'sha512sum' 'tar' 'gzip' 'openssl') | |
| server="$1" | |
| port="$2" | |
| ca_file="${3:-/etc/ssl/certs/ca-certificates.crt}" | |
| echo "Checking if required tools are installed ..." | |
| for t in "${tools[@]}" | |
| do | |
| echo -n "$t ..." | |
| if command -v "$t" &> /dev/null | |
| then | |
| echo " ok" | |
| else | |
| echo " MISSING" | |
| exit 1 | |
| fi | |
| done | |
| echo -n "CA File $ca_file ..." | |
| if [ -f "$ca_file" ] | |
| then | |
| echo " ok" | |
| else | |
| echo " MISSING" | |
| exit 1 | |
| fi | |
| function cleanup { | |
| rm -f $tmp/cert-chain-resolver.tgz.sha512 | |
| rm -f $tmp/cert-chain-resolver.tgz | |
| rm -f "$tmp/$server.pem" | |
| rm -f "$tmp/$server.chain.pem" | |
| sleep 1 | |
| } | |
| trap cleanup EXIT | |
| if ! command -v "$ccr" &> /dev/null | |
| then | |
| echo "$ccr could not be found in PATH, using local version" | |
| ccr="./$ccr" | |
| fi | |
| if ! command -v "$ccr" &> /dev/null | |
| then | |
| echo "$ccr could not be found. Downloading from GitHub." | |
| echo "Writing expected file hash ..." | |
| echo "b7ecba37536cd678b6611b5637087801e9ce957ac6b2de62e9d206fba68aedfa1c036a1856db232ec739e40b31610d3bbf8bc810ff6a9e2244b44334d7086a8c $tmp/cert-chain-resolver.tgz" > "$tmp/cert-chain-resolver.tgz.sha512" | |
| echo "Downloading ..." | |
| wget -O "$tmp/cert-chain-resolver.tgz" 'https://github.com/zakjan/cert-chain-resolver/releases/download/1.0.1/cert-chain-resolver_linux_amd64.tar.gz' | |
| echo "Verifying Download ..." | |
| sha512sum --check --status "$tmp/cert-chain-resolver.tgz.sha512" | |
| echo "Extracting ..." | |
| tar xf "$tmp/cert-chain-resolver.tgz" --strip-components 1 | |
| chmod +x cert-chain-resolver | |
| fi | |
| echo "Downloading Certificate ..." | |
| openssl s_client -showcerts -connect "$server:$port" </dev/null 2>/dev/null|openssl x509 -outform PEM >"$tmp/$server.pem" | |
| echo "Obtaining the Certificate Chain ..." | |
| "$ccr" --version | |
| "$ccr" --intermediate-only --output "$tmp/$server.chain.pem" "$tmp/$server.pem" | |
| echo "Verifying certificate ..." | |
| openssl verify -verbose -show_chain -verify_hostname "$server" -purpose 'sslserver' -CAfile "$ca_file" -untrusted "$tmp/$server.chain.pem" "$tmp/$server.pem" | |
| echo "Checking that certificate won't expire within one month ..." | |
| openssl x509 -checkend 2592000 -noout -in "$tmp/$server.pem" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note that a proper web server should also send the intermediate certificates, not just the leaf certs. This is for a web server we trust not to be compromised.