It took a bit of faffing about, but it all came back to me. Eventually. :-)
Here it is, if it's of any use to you. And if you spot any bugs, please give me a shout.
#!/bin/bash
export PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin export CERT_DIR='/etc/pki/tls/certs' export EPOCH_DAY='86400' export TODAY="$(date +%s)" export STATUS='green' export TEMPFILE=$BBTMP/localcert.$$
date > $TEMPFILE
For every cert we have...
for CERT in $(find ${CERT_DIR}/*.crt)
do
LCOL='green'
EXPIRE=$(openssl x509 -in ${CERT} -noout -dates 2>/dev/null | awk
-F= '/^notAfter/ { print $2; exit }')
EXP_EPOCH=date -d"$EXPIRE" +%s
SECS2GO=expr $EXP_EPOCH - $TODAY
DAYS2GO=expr $SECS2GO / $EPOCH_DAY
if [ $DAYS2GO -le 30 -a $STATUS != "red" ]
then
export STATUS='yellow'
LCOL='yellow'
fi
if [ $DAYS2GO -le 15 ]
then
export STATUS='red'
LCOL='red'
fi
echo "&$LCOL Expires in $DAYS2GO days, on $EXPIRE $CERT" >> $TEMPFILE
done
$XYMON $XYMSRV "status $MACHINE.localcerts $STATUS $(cat $TEMPFILE)"
rm $TEMPFILE 2>/dev/null
On Wed, 30 Aug 2023 at 18:21, Adam Thorn <alt36 at cam.ac.uk> wrote:
On 30/08/2023 04:31, Vernon Everett wrote:
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Here's our perl script for doing this, though it uses a local "SuperHobbit" perl module which manages loading config files so it's not a case of just copy-pasting:
https://gitlab.developers.cam.ac.uk/-/snippets/238
As others have said, all that the script really does is run:
openssl x509 -in MY_CERTIFICATE.pem -noout -enddate
which'll output a single line like:
notAfter=Jul 4 23:59:59 2024 GMT
which is then parsed by perl's str2time() (other date parsing options exist, of course. Thanks to Ralph for pointing out the -dateopt option which I didn't know about, though unfortunately that's not available in the version of openssl as provided by Ubuntu 20.04)
I looked quickly at reimplementing this in python using the standard python 'crytography' package, but that started to open up cans of worms around version dependencies and how we could make a suitable version of the package available, so I've mentally stalled that idea for now.
Adam
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford