Simple Bash-based HTTPS cert expiration checker to monitor things and send me emails.

pkiaudit.sh

#!/usr/bin/env bash

THRESH_DAYS="7"
EMAIL=""

rm -f /home/jobs/scripts/pkiaudit.tmp

/etc/nopehq-configs/pki/tools/valid_audit.sh -s -t $THRESH_DAYS -i /etc/nopehq-configs/pki/tools/audit.ignore -d /etc/nopehq-configs/dns/nopeHQ-lan.hosts >/home/jobs/scripts/pkiaudit.tmp

NUM_WARNS=$(cat /home/jobs/scripts/pkiaudit.tmp | wc -l)

if [[ $NUM_WARNS == 0 ]];
then
  rm -f /home/jobs/scripts/pkiaudit.tmp
  exit 0
fi

echo "
This is the PKI audit system at NOPE HQ.

The following hosts are presenting certificates that have either expired, or will expire within the next $THRESH_DAYS days:

`cat /home/jobs/scripts/pkiaudit.tmp`

Please regenerate these at your earliest convenience.


Best regards,
NOPE Nanomachines


[generated: `hostname` `date`]
" | mailx -s 'NOPE PKI Audit Notice' $EMAIL


rm -f /home/jobs/scripts/pkiaudit.tmp

valid_audit.sh

#!/usr/bin/env bash 

# valid_audit.sh v0.1 - Charlton Trezevant
# Accepts a dnsmasq host db file as an argument, and attempts to 
# connect to each host in the file to retrieve certificate issue/expiry
# dates

DISPLAY_EXP_ONLY=0
EXP_THRESH=1000000
HOSTS_DB=""
HOSTS_TLD=".nhq"
HOSTS_IGNORE=""
SIMPLIFY_OUTPUT=0

main() {
  if [[ $HOSTS_DB == "" ]];
  then
    show_help
    exit 0
  fi

  for SERVER in $(cat $HOSTS_DB | grep $HOSTS_TLD | cut -d ' ' -f2 | cut -d ' ' -f1)
  do

    if [[ $HOSTS_IGNORE != "" ]];
    then
      grep $SERVER "$HOSTS_IGNORE" 2>/dev/null 1>/dev/null
      if [[ $? -eq 0 ]];
      then
        continue
      fi
    fi

    CERTINF=$(timeout --preserve-status -k 2 2 bash -c "echo | openssl s_client -servername $SERVER -connect $SERVER:443 2>/dev/null | openssl x509 -noout -dates 2>/dev/null")
    if [[ $? != 0 ]];
    then
      continue
    fi

    ISSUE_DATE=$(echo $CERTINF | grep notBefore | cut -d '=' -f2 | rev | cut -d ' ' -f2-6 | rev)
    EXP_DATE=$(echo $CERTINF | grep notAfter | rev | cut -d '=' -f1 | rev)
    
    # gnu coreutils date cmd
    EXP_TS=$(date -d "$EXP_DATE" +"%s" 2>/dev/null)
    if [[ $? != 0 ]];
    then
      # macOS/BSD date cmd
      EXP_TS=$(date -j -u -f "%b %d %T %Y %Z" "$EXP_DATE" "+%s")
    fi

    VALID_DAYS_LEFT=$((($EXP_TS - $(date +%s) )/(60*60*24)))

    CERT_STATUS="$VALID_DAYS_LEFT days remaining"
    if [[ $VALID_DAYS_LEFT -le 0 ]];
    then
      CERT_STATUS="EXPIRED"
    fi

    if [[ $VALID_DAYS_LEFT -gt 0 && DISPLAY_EXP_ONLY -eq 1 ]];
    then
      continue
    fi

    if [[ $VALID_DAYS_LEFT -gt $EXP_THRESH ]];
    then
      continue
    fi
 
    if [[ $SIMPLIFY_OUTPUT == 1 ]];
    then
      echo $SERVER:$CERT_STATUS
      continue
    fi

    echo $SERVER
    echo -e "\tIssued: $ISSUE_DATE"
    echo -e "\tExpires: $EXP_DATE ($CERT_STATUS)"
    echo ""
  done
}

show_help() {
  echo "$0 -d [path to hosts db (dnsmasq)] [-x show expired certs only] [-t cert expiry threshold (in days)] [-s simple output (hostname:status)] [-i ignored host blacklist]"
}

while getopts "d:xst:i:" opt; do
    case "$opt" in
    h)
        show_help
        exit 0
        ;;
    x)  DISPLAY_EXP_ONLY=1
        ;;
    t)  EXP_THRESH=$OPTARG
        ;;
    d)  HOSTS_DB=$OPTARG
        ;;
    s)  SIMPLIFY_OUTPUT=1
        ;;
    i)  HOSTS_IGNORE=$OPTARG
        ;;
    esac
done

main