Skip to content

Instantly share code, notes, and snippets.

@chtzvt
Created November 1, 2021 15:53
Show Gist options
  • Save chtzvt/58721b161af7b120d6dfd75d025ef910 to your computer and use it in GitHub Desktop.
Save chtzvt/58721b161af7b120d6dfd75d025ef910 to your computer and use it in GitHub Desktop.
Simple Bash-based HTTPS cert expiration checker to monitor things and send me emails.
#!/usr/bin/env bash
THRESH_DAYS="7"
EMAIL=""
rm -f /home/jobs/scripts/pkiaudit.tmp
/etc/nopehq-configs/pki/tools/valid_audit.sh -s -t $THRESH_DAYS -i /etc/nopehq-configs/pki/tools/audit.ignore -d /etc/nopehq-configs/dns/nopeHQ-lan.hosts >/home/jobs/scripts/pkiaudit.tmp
NUM_WARNS=$(cat /home/jobs/scripts/pkiaudit.tmp | wc -l)
if [[ $NUM_WARNS == 0 ]];
then
rm -f /home/jobs/scripts/pkiaudit.tmp
exit 0
fi
echo "
This is the PKI audit system at NOPE HQ.
The following hosts are presenting certificates that have either expired, or will expire within the next $THRESH_DAYS days:
`cat /home/jobs/scripts/pkiaudit.tmp`
Please regenerate these at your earliest convenience.
Best regards,
NOPE Nanomachines
[generated: `hostname` `date`]
" | mailx -s 'NOPE PKI Audit Notice' $EMAIL
rm -f /home/jobs/scripts/pkiaudit.tmp
#!/usr/bin/env bash
# valid_audit.sh v0.1 - Charlton Trezevant
# Accepts a dnsmasq host db file as an argument, and attempts to
# connect to each host in the file to retrieve certificate issue/expiry
# dates
DISPLAY_EXP_ONLY=0
EXP_THRESH=1000000
HOSTS_DB=""
HOSTS_TLD=".nhq"
HOSTS_IGNORE=""
SIMPLIFY_OUTPUT=0
main() {
if [[ $HOSTS_DB == "" ]];
then
show_help
exit 0
fi
for SERVER in $(cat $HOSTS_DB | grep $HOSTS_TLD | cut -d ' ' -f2 | cut -d ' ' -f1)
do
if [[ $HOSTS_IGNORE != "" ]];
then
grep $SERVER "$HOSTS_IGNORE" 2>/dev/null 1>/dev/null
if [[ $? -eq 0 ]];
then
continue
fi
fi
CERTINF=$(timeout --preserve-status -k 2 2 bash -c "echo | openssl s_client -servername $SERVER -connect $SERVER:443 2>/dev/null | openssl x509 -noout -dates 2>/dev/null")
if [[ $? != 0 ]];
then
continue
fi
ISSUE_DATE=$(echo $CERTINF | grep notBefore | cut -d '=' -f2 | rev | cut -d ' ' -f2-6 | rev)
EXP_DATE=$(echo $CERTINF | grep notAfter | rev | cut -d '=' -f1 | rev)
# gnu coreutils date cmd
EXP_TS=$(date -d "$EXP_DATE" +"%s" 2>/dev/null)
if [[ $? != 0 ]];
then
# macOS/BSD date cmd
EXP_TS=$(date -j -u -f "%b %d %T %Y %Z" "$EXP_DATE" "+%s")
fi
VALID_DAYS_LEFT=$((($EXP_TS - $(date +%s) )/(60*60*24)))
CERT_STATUS="$VALID_DAYS_LEFT days remaining"
if [[ $VALID_DAYS_LEFT -le 0 ]];
then
CERT_STATUS="EXPIRED"
fi
if [[ $VALID_DAYS_LEFT -gt 0 && DISPLAY_EXP_ONLY -eq 1 ]];
then
continue
fi
if [[ $VALID_DAYS_LEFT -gt $EXP_THRESH ]];
then
continue
fi
if [[ $SIMPLIFY_OUTPUT == 1 ]];
then
echo $SERVER:$CERT_STATUS
continue
fi
echo $SERVER
echo -e "\tIssued: $ISSUE_DATE"
echo -e "\tExpires: $EXP_DATE ($CERT_STATUS)"
echo ""
done
}
show_help() {
echo "$0 -d [path to hosts db (dnsmasq)] [-x show expired certs only] [-t cert expiry threshold (in days)] [-s simple output (hostname:status)] [-i ignored host blacklist]"
}
while getopts "d:xst:i:" opt; do
case "$opt" in
h)
show_help
exit 0
;;
x) DISPLAY_EXP_ONLY=1
;;
t) EXP_THRESH=$OPTARG
;;
d) HOSTS_DB=$OPTARG
;;
s) SIMPLIFY_OUTPUT=1
;;
i) HOSTS_IGNORE=$OPTARG
;;
esac
done
main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment