forked from ossobv/vcutil
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cert-expiry-finder
executable file
·109 lines (95 loc) · 2.95 KB
/
cert-expiry-finder
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/bin/sh
# cert-expiry-finder (part of ossobv/vcutil) // wdoekes/2016 // Public Domain
#
# Searches for X.509 (SSL/TLS) certificates in common locations and
# enumerates the expiry days.
#
# Usage:
#
# cert-expiry-finder # lists all certs and days
# cert-expiry-finder --min # lists the soonest expiry
# cert-expiry-finder -h # shows help and Zabbix example
#
# See also:
#
# cert-expiry-check
#
global_t0=`date +%s` # cache the "now" value
enum_all_certs() {
(
enum_apache2_certs
enum_dovecot_certs
enum_nginx_certs
enum_postfix_certs
enum_ser_certs
) | sort -u
}
enum_apache2_certs() {
find /etc/apache2/apache2.conf \
/etc/apache2/mods-enabled/ssl.conf \
/etc/apache2/sites-enabled/ \
'(' -type f -o -type l ')' '!' -name '.*' -print0 2>/dev/null |
xargs -0 sed -ne '
s/^[[:blank:]]*SSLCertificateFile[[:blank:]]\+\([^[:blank:]]*\).*/\1/p'
}
enum_dovecot_certs() {
find /etc/dovecot/ '(' -type f -o -type l ')' '!' -name '.*' \
-print0 2>/dev/null |
xargs -0 sed -ne '
s/^ssl_cert_file[[:blank:]]*=[[:blank:]]*\([^[:blank:]]\+\).*/\1/p'
}
enum_nginx_certs() {
find /etc/nginx/nginx.conf \
/etc/nginx/conf.d/ \
/etc/nginx/sites-enabled/ \
'(' -type f -o -type l ')' '!' -name '.*' -print0 2>/dev/null |
xargs -0 sed -ne '
s/^[[:blank:]]*ssl_certificate[[:blank:]]\+\([^[:blank:]]*\).*;/\1/p'
}
enum_postfix_certs() {
postconf 'smtpd_tls_cert_file' 2>/dev/null |
sed -e 's/.* = //'
}
enum_ser_certs() {
find /etc/kamailio /etc/opensips /etc/ser \
'(' -type f -o -type l ')' -name '*.cfg' -print0 2>/dev/null |
xargs -0 sed -ne '
s/^[[:blank:]]*tls_certificate[[:blank:]]*=[[:blank:]]*"\([^[:blank:]]*\)".*/\1/p'
}
list_cert_expiry_days() {
for file in "$@"; do
expiry=`expiry_after "$file"`
if test -n "$expiry"; then
expiry=$((expiry / 86400))
printf '%-7d %s\n' $expiry "$file"
else
echo "expiry parse error: $file" >&2
fi
done
}
expiry_after() {
file=$1
date=`openssl x509 -in "$file" -noout -dates |
sed -e '/notAfter=/!d;s/.*=//'`
tn=`date --date="$date" +%s`
td=$((tn - global_t0))
echo $td
}
if test $# -eq 0; then
list_cert_expiry_days `enum_all_certs`
elif test $# -eq 1 && test "$1" = "--min"; then
list_cert_expiry_days `enum_all_certs` |
awk '{if(n==""||$1<n){n=$1}}END{if(n!=""){print n}else{exit 1}}'
else
cat >&2 << __EOF__
Usage: cert-expiry-finder [--min]
Enumerates all X.509 (SSL/TLS) certificates from common known locations
like nginx, apache2, postfix, and lists how many days there are left to
expiry.
Zabbix example:
# The shortest amount of days before expiry of all certificates found on
# this machine.
UserParameter=cert.server.minexpiry,cert-expiry-finder --min || echo 5555
__EOF__
fi
# vim: set ts=8 sw=4 sts=4 et ai: