Purpose: check cert expiry and cert chain issues
Note: domains.txt needs emptyline at end of file
Example output:
059 days of validity left for https://www.google.com, chain fine (issued by GTS CA 1C3)
046 days of validity left for https://www.typo3.org, chain fine (issued by R3)
Next expiry in 46 days
everything fine
| www.google.com | |
| www.lego.com | |
| #!/bin/bash | |
| status=0 | |
| errorDomains=() | |
| CERT_DAYS_LEFT_LOWEST=1000 | |
| mkdir -p .tmp | |
| rm -rf .tmp/result-alph.txt | |
| rm -rf .tmp/result-expiry.txt | |
| while read p; do | |
| result="$(./ssl-check-short $p)" | |
| echo $result; | |
| asciiresult="$(echo $result 2>&1 | sed -r 's/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g')" | |
| echo $asciiresult >> .tmp/result-alph.txt | |
| expirystring="$(echo $asciiresult | awk '{print $1;}' | xargs)" | |
| expiryint="$(echo $expirystring | sed 's/^0*//')" | |
| if [[ $CERT_DAYS_LEFT_LOWEST -gt $expiryint ]]; then | |
| export CERT_DAYS_LEFT_LOWEST="$expiryint" | |
| fi | |
| newstatus=$? | |
| status=$(($status + $newstatus)) | |
| if [ "$newstatus" -gt "0" ]; then | |
| errorDomains+=($p) | |
| fi | |
| done <domains.txt | |
| sort -o .tmp/result-expiry.txt .tmp/result-alph.txt | |
| mv .tmp/result* . | |
| echo "Next expiry in $CERT_DAYS_LEFT_LOWEST days" | |
| if [ "$status" -eq "0" ]; then | |
| echo "everything fine"; | |
| exit 0; | |
| fi | |
| echo "Found $status errors" | |
| for domain in "${errorDomains[@]}" | |
| do | |
| echo "check $domain" | |
| done | |
| exit 1 |
| #!/bin/bash | |
| export LC_TIME="en_US" | |
| ## | |
| # based intially on https://raw.githubusercontent.com/bobbyiliev/bash-ssl-checker-tool/master/ssl | |
| ## | |
| ## | |
| if ! [ -x "$(command -v openssl)" ]; then | |
| printf '\e[31m' | |
| echo "The openssl command is required! Please install it and then try again" | |
| printf '\e[0m' | |
| exit 1 | |
| fi | |
| HOST="$1" | |
| # output status code instead of --fail to show success on e.g. 401 with working cert | |
| if [[ $2 ]]; then | |
| PORT="$2" | |
| else | |
| PORT="443" | |
| fi | |
| RESPONSE_CODE=$(curl --connect-timeout 10 --silent --output /dev/stderr --write-out "%{http_code}" https://$HOST:$PORT/ &> /dev/null) | |
| if [ $? -gt 0 ]; then | |
| printf '\e[31m' | |
| printf 'Error with SSL connection to ' | |
| if [ "$PORT" -ne "443" ]; then | |
| printf "%s:%s" "$HOST" "$PORT" | |
| else | |
| printf "https://%s" "$HOST" | |
| fi | |
| printf '\e[0m' | |
| set -e | |
| curl --fail --silent --show-error https://$HOST:$PORT/ > /dev/null | |
| set +e | |
| exit 1 | |
| fi | |
| today=$(date +%F) | |
| opensslresult="$(echo | openssl s_client -servername $HOST -connect $HOST:$PORT 2> /dev/null)" | |
| expires=$(echo "$opensslresult" | openssl x509 -noout -dates | grep 'notAfter' | sed 's/notAfter=//') | |
| if [ "$(uname)" == "Darwin" ]; then | |
| THIS_CERT_EXPIRY="$((($(date -j -f "%b %d %T %Y %Z" "$expires" +'%s') - $(date -j -f "%F" "$today" +'%s')) / 60 / 60 / 24))" | |
| else | |
| THIS_CERT_EXPIRY="$((($(date -d"$expires" +%s) - $(date -d"$today" +%s)) / 60 / 60 / 24))" | |
| fi | |
| if [[ 14 -gt $THIS_CERT_EXPIRY ]]; then | |
| printf '\e[31m' | |
| elif [[ 30 -gt $THIS_CERT_EXPIRY ]]; then | |
| printf '\e[33m' | |
| else | |
| printf '\e[32m' | |
| fi | |
| printf "%03d" $THIS_CERT_EXPIRY | |
| printf " days of validity left for "; | |
| printf '\e[39m'; | |
| if [ "$PORT" -ne "443" ]; then | |
| printf "%s:%s" "$HOST" "$PORT" | |
| else | |
| printf "https://%s" "$HOST" | |
| fi | |
| printf '\e[32m'; | |
| chain="$(echo "$opensslresult" | grep " 1 s:C" || true)" | |
| issuer="${chain##*CN = }" | |
| if [ -z "$issuer" ]; then | |
| printf '\e[31m'; | |
| printf ', problem with chain detected'; | |
| else | |
| printf '\e[32m'; | |
| printf ", chain fine (issued by ${issuer%%*( )##*( )})" | |
| fi | |
| printf '\e[0m\n' | |
| if [[ 14 -gt $THIS_CERT_EXPIRY ]]; then | |
| exit 1; | |
| fi |
| #!/bin/bash | |
| grep "^base:" config/sites/*/* | awk -F/ '{print $6}' | tr -d '"' | tr -d "'" | sort |