Created
November 1, 2021 15:53
-
-
Save chtzvt/58721b161af7b120d6dfd75d025ef910 to your computer and use it in GitHub Desktop.
Simple Bash-based HTTPS cert expiration checker to monitor things and send me emails.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
THRESH_DAYS="7" | |
EMAIL="" | |
rm -f /home/jobs/scripts/pkiaudit.tmp | |
/etc/nopehq-configs/pki/tools/valid_audit.sh -s -t $THRESH_DAYS -i /etc/nopehq-configs/pki/tools/audit.ignore -d /etc/nopehq-configs/dns/nopeHQ-lan.hosts >/home/jobs/scripts/pkiaudit.tmp | |
NUM_WARNS=$(cat /home/jobs/scripts/pkiaudit.tmp | wc -l) | |
if [[ $NUM_WARNS == 0 ]]; | |
then | |
rm -f /home/jobs/scripts/pkiaudit.tmp | |
exit 0 | |
fi | |
echo " | |
This is the PKI audit system at NOPE HQ. | |
The following hosts are presenting certificates that have either expired, or will expire within the next $THRESH_DAYS days: | |
`cat /home/jobs/scripts/pkiaudit.tmp` | |
Please regenerate these at your earliest convenience. | |
Best regards, | |
NOPE Nanomachines | |
[generated: `hostname` `date`] | |
" | mailx -s 'NOPE PKI Audit Notice' $EMAIL | |
rm -f /home/jobs/scripts/pkiaudit.tmp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# valid_audit.sh v0.1 - Charlton Trezevant | |
# Accepts a dnsmasq host db file as an argument, and attempts to | |
# connect to each host in the file to retrieve certificate issue/expiry | |
# dates | |
DISPLAY_EXP_ONLY=0 | |
EXP_THRESH=1000000 | |
HOSTS_DB="" | |
HOSTS_TLD=".nhq" | |
HOSTS_IGNORE="" | |
SIMPLIFY_OUTPUT=0 | |
main() { | |
if [[ $HOSTS_DB == "" ]]; | |
then | |
show_help | |
exit 0 | |
fi | |
for SERVER in $(cat $HOSTS_DB | grep $HOSTS_TLD | cut -d ' ' -f2 | cut -d ' ' -f1) | |
do | |
if [[ $HOSTS_IGNORE != "" ]]; | |
then | |
grep $SERVER "$HOSTS_IGNORE" 2>/dev/null 1>/dev/null | |
if [[ $? -eq 0 ]]; | |
then | |
continue | |
fi | |
fi | |
CERTINF=$(timeout --preserve-status -k 2 2 bash -c "echo | openssl s_client -servername $SERVER -connect $SERVER:443 2>/dev/null | openssl x509 -noout -dates 2>/dev/null") | |
if [[ $? != 0 ]]; | |
then | |
continue | |
fi | |
ISSUE_DATE=$(echo $CERTINF | grep notBefore | cut -d '=' -f2 | rev | cut -d ' ' -f2-6 | rev) | |
EXP_DATE=$(echo $CERTINF | grep notAfter | rev | cut -d '=' -f1 | rev) | |
# gnu coreutils date cmd | |
EXP_TS=$(date -d "$EXP_DATE" +"%s" 2>/dev/null) | |
if [[ $? != 0 ]]; | |
then | |
# macOS/BSD date cmd | |
EXP_TS=$(date -j -u -f "%b %d %T %Y %Z" "$EXP_DATE" "+%s") | |
fi | |
VALID_DAYS_LEFT=$((($EXP_TS - $(date +%s) )/(60*60*24))) | |
CERT_STATUS="$VALID_DAYS_LEFT days remaining" | |
if [[ $VALID_DAYS_LEFT -le 0 ]]; | |
then | |
CERT_STATUS="EXPIRED" | |
fi | |
if [[ $VALID_DAYS_LEFT -gt 0 && DISPLAY_EXP_ONLY -eq 1 ]]; | |
then | |
continue | |
fi | |
if [[ $VALID_DAYS_LEFT -gt $EXP_THRESH ]]; | |
then | |
continue | |
fi | |
if [[ $SIMPLIFY_OUTPUT == 1 ]]; | |
then | |
echo $SERVER:$CERT_STATUS | |
continue | |
fi | |
echo $SERVER | |
echo -e "\tIssued: $ISSUE_DATE" | |
echo -e "\tExpires: $EXP_DATE ($CERT_STATUS)" | |
echo "" | |
done | |
} | |
show_help() { | |
echo "$0 -d [path to hosts db (dnsmasq)] [-x show expired certs only] [-t cert expiry threshold (in days)] [-s simple output (hostname:status)] [-i ignored host blacklist]" | |
} | |
while getopts "d:xst:i:" opt; do | |
case "$opt" in | |
h) | |
show_help | |
exit 0 | |
;; | |
x) DISPLAY_EXP_ONLY=1 | |
;; | |
t) EXP_THRESH=$OPTARG | |
;; | |
d) HOSTS_DB=$OPTARG | |
;; | |
s) SIMPLIFY_OUTPUT=1 | |
;; | |
i) HOSTS_IGNORE=$OPTARG | |
;; | |
esac | |
done | |
main |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment