Created
November 30, 2019 22:30
-
-
Save antondollmaier/2a56b7cf1baa2f6be229276720076f2c to your computer and use it in GitHub Desktop.
Get remaining validity days of certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| export PATH=${PATH}:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin | |
| TIMEOUT=29 | |
| RETVAL= | |
| # If called by zabbix, handle some things different | |
| if echo "${BASH_SOURCE}" | grep -q "zabbix" ; then | |
| # get rid of 1st parameter (on Zabbix 1.8x) | |
| # shift 1 | |
| # Change TimeOut value to the one in /etc/zabbix/zabbix_server.conf | |
| ZABBIX_TIMEOUT=`grep -i '^Timeout' /etc/zabbix/zabbix_server.conf 2>/dev/null | awk -F= '{print $2}' | tr -cd '0-9'` | |
| if [ -z "${ZABBIX_TIMEOUT}" ] ; then | |
| TIMEOUT=3 | |
| else | |
| # Let's take 1 second less than the one in /etc/zabbix/zabbix_server.conf and just hope to be in time | |
| TIMEOUT=$(( ${ZABBIX_TIMEOUT} - 1 )) | |
| fi | |
| fi | |
| DEBUG=${DEBUG:-0} | |
| if [ "$DEBUG" == 1 ]; then | |
| set -x | |
| fi | |
| # Zabbix 2.0 sends parameters quoted, where < 1.9 sends them unquoted | |
| # This way it works on both | |
| HOST=`echo "$*" | awk '{print $1}'` | |
| PORT=`echo "$*" | awk '{print $2}'` | |
| SCRATCH=`mktemp` | |
| [ -z "${HOST}" ] && exit 1 | |
| [ -z "${PORT}" ] && PORT=443 | |
| # openssl is able to check plain smtp/pop3/ftp/imap connections | |
| # that use TLS to setup a secure connection | |
| TLS= | |
| echo "x${PORT}x" | egrep -q 'x(443|8443)x' && TLS="-servername ${HOST}" | |
| echo "x${PORT}x" | egrep -q 'x(25|587)x' && TLS="-crlf -starttls smtp" | |
| echo "x${PORT}x" | egrep -q 'x110x' && TLS="-starttls pop3" | |
| echo "x${PORT}x" | egrep -q 'x21x' && TLS="-starttls ftp" | |
| echo "x${PORT}x" | egrep -q 'x143x' && TLS="-starttls imap" | |
| # Retrieve Certificate in background because it doesn't support TimeOuts | |
| # exec 2>/dev/null doesn't seem to be necessary if called this way.... | |
| echo "" | openssl s_client -connect ${HOST}:${PORT} ${TLS} 2>/dev/null >${SCRATCH} & | |
| sleep .1 | |
| # double the TIMEOUT and wait for half a second each time | |
| let TIMEOUT*=2 | |
| # Wait for certificate | |
| n=1 | |
| while [ ! -s ${SCRATCH} ] ; do | |
| sleep .48 | |
| [ $n -ge ${TIMEOUT} ] && break | |
| let n++ | |
| done | |
| # If we have retrieved the certificate, we'll process it and retrieve the expiration date | |
| if [ -s ${SCRATCH} ] ; then | |
| EXPIRE_DATE=`sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' ${SCRATCH} | openssl x509 -enddate -noout 2>/dev/null | sed 's/notAfter\=//'` | |
| if [ ! -z "${EXPIRE_DATE}" ]; then | |
| EXPIRE_SECS=`date -d "${EXPIRE_DATE}" +%s` | |
| EXPIRE_TIME=$(( ${EXPIRE_SECS} - `date +%s` )) | |
| # We finally have it... | |
| RETVAL=$(( ${EXPIRE_TIME} / 24 / 3600 )) | |
| fi | |
| else | |
| # Too late you lazy bastard, I might as well kill you... | |
| kill -9 %1 2>/dev/null | |
| fi | |
| rm -f ${SCRATCH} 2>/dev/null | |
| echo ${RETVAL} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment