[Xymon] SSL/TLS cert monitoring

[Vernon Everett]

It took a bit of faffing about, but it all came back to me. Eventually. :-)

Here it is, if it's of any use to you.
And if you spot any bugs, please give me a shout.

#!/bin/bash

export PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
export CERT_DIR='/etc/pki/tls/certs'
export EPOCH_DAY='86400'
export TODAY="$(date +%s)"
export STATUS='green'
export TEMPFILE=$BBTMP/localcert.$$

date > $TEMPFILE
# For every cert we have...
for CERT in $(find ${CERT_DIR}/*.crt)
do
  LCOL='green'
  EXPIRE=$(openssl x509 -in ${CERT} -noout -dates 2>/dev/null | awk
-F= '/^notAfter/ { print $2; exit }')
  EXP_EPOCH=`date -d"$EXPIRE" +%s`
  SECS2GO=`expr $EXP_EPOCH - $TODAY`
  DAYS2GO=`expr $SECS2GO / $EPOCH_DAY`
  if [ $DAYS2GO -le 30 -a $STATUS != "red" ]
  then
    export STATUS='yellow'
    LCOL='yellow'
  fi
  if [ $DAYS2GO -le 15 ]
  then
    export STATUS='red'
    LCOL='red'
  fi
  echo "&$LCOL Expires in $DAYS2GO days, on $EXPIRE  $CERT" >> $TEMPFILE
done
$XYMON $XYMSRV "status $MACHINE.localcerts $STATUS $(cat $TEMPFILE)"
rm $TEMPFILE 2>/dev/null





On Wed, 30 Aug 2023 at 18:21, Adam Thorn <alt36 at cam.ac.uk> wrote:

> On 30/08/2023 04:31, Vernon Everett wrote:
> > 3. I have a few certs local to my client that I need to keep an eye on
> > too. But these are used by applications, and are not related to a web
> > page, so effectively I need to to keep tabs on /foo/bar/cert
>
> Here's our perl script for doing this, though it uses a local
> "SuperHobbit" perl module which manages loading config files so it's not
> a case of just copy-pasting:
>
> https://gitlab.developers.cam.ac.uk/-/snippets/238
>
> As others have said, all that the script really does is run:
>
> openssl x509 -in MY_CERTIFICATE.pem -noout -enddate
>
> which'll output a single line like:
>
> notAfter=Jul  4 23:59:59 2024 GMT
>
> which is then parsed by perl's str2time() (other date parsing options
> exist, of course. Thanks to Ralph for pointing out the -dateopt option
> which I didn't know about, though unfortunately that's not available in
> the version of openssl as provided by Ubuntu 20.04)
>
> I looked quickly at reimplementing this in python using the standard
> python 'crytography' package, but that started to open up cans of worms
> around version dependencies and how we could make a suitable version of
> the package available, so I've mentally stalled that idea for now.
>
> Adam
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>


-- 

"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton

"Don't find fault. Find a remedy"
- Henry Ford
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20230902/3bd68309/attachment.htm>