Use functions in cert-expirations.sh
This commit is contained in:
parent
e33722d440
commit
bd5e02bb87
|
@ -1,72 +1,124 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
|
|
||||||
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
VERSION="22.04"
|
||||||
|
|
||||||
if [ "${SYSTEM}" = "openbsd" ]; then
|
show_version() {
|
||||||
carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
|
cat <<END
|
||||||
|
cert-expirations.sh version ${VERSION}
|
||||||
if [ "$carp" = "backup" ]; then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
cacert_path="/etc/openvpn/ssl/ca/cacert.pem"
|
Copyright 2020-2022 Evolix <info@evolix.fr>,
|
||||||
index_path="/etc/openvpn/ssl/ca/index.txt"
|
Jérémy Lecour <jlecour@evolix.fr>,
|
||||||
somedays="3456000" # 40 days currently
|
Jérémy Dubois <jdubois@evolix.fr>
|
||||||
expired_certs=""
|
and others.
|
||||||
expiring_soon_certs=""
|
|
||||||
still_valid_certs=""
|
|
||||||
|
|
||||||
echo "Warning : all times are in UTC !"
|
cert-expirations.sh comes with ABSOLUTELY NO WARRANTY. This is free software,
|
||||||
echo ""
|
and you are welcome to redistribute it under certain conditions.
|
||||||
echo "CA certificate:"
|
See the MIT Licence for details.
|
||||||
openssl x509 -enddate -noout -in ${cacert_path} \
|
END
|
||||||
| cut -d '=' -f 2 \
|
|
||||||
| sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
|
|
||||||
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
# Syntax "cmd | { while read line; do var="foo"; done echo $var }" needed, otherwise $var is empty at the end of while loop
|
|
||||||
grep ^V ${index_path} \
|
|
||||||
| awk -F "/" '{print $1,$5}' \
|
|
||||||
| awk '{print $2,$5}' \
|
|
||||||
| sed 's/CN=//' \
|
|
||||||
| sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
|
|
||||||
| awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
|
|
||||||
| sort -n -k 2 -k 3M -k 4 | {
|
|
||||||
while read -r line; do
|
|
||||||
|
|
||||||
# Predicting expirations - OpenBSD case (date is not the same than in Linux)
|
|
||||||
if [ "${SYSTEM}" = "openbsd" ]; then
|
|
||||||
# Already expired if expiration date is before now
|
|
||||||
if [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -le "$(date +%s)" ]; then
|
|
||||||
expired_certs="${expired_certs}$line\n"
|
|
||||||
# Expiring soon if expiration date is after now and before now + $somedays days
|
|
||||||
elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
|
|
||||||
expiring_soon_certs="${expiring_soon_certs}$line\n"
|
|
||||||
# Still valid for a time if expiration date is after now + $somedays days
|
|
||||||
elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
|
|
||||||
still_valid_certs="${still_valid_certs}$line\n"
|
|
||||||
fi
|
|
||||||
# Non OpenBSD cases
|
|
||||||
else
|
|
||||||
# Already expired if expiration date is before now
|
|
||||||
if [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -le "$(date +%s)" ]; then
|
|
||||||
expired_certs="${expired_certs}$line\n"
|
|
||||||
# Expiring soon if expiration date is after now and before now + $somedays days
|
|
||||||
elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
|
|
||||||
expiring_soon_certs="${expiring_soon_certs}$line\n"
|
|
||||||
# Still valid for a time if expiration date is after now + $somedays days
|
|
||||||
elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
|
|
||||||
still_valid_certs="${still_valid_certs}$line\n"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
echo "Expired client certificates:"
|
|
||||||
echo "${expired_certs}"
|
|
||||||
echo "Valid client certificates expiring soon (in less than $((somedays / 60 / 60 / 24)) days):"
|
|
||||||
echo "${expiring_soon_certs}"
|
|
||||||
echo "Valid client certificates expiring later (in more than $((somedays / 60 / 60 / 24)) days):"
|
|
||||||
echo "${still_valid_certs}"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
show_usage() {
|
||||||
|
cat <<END
|
||||||
|
Usage: ${0} [--version]
|
||||||
|
END
|
||||||
|
}
|
||||||
|
|
||||||
|
check_ca_expiration() {
|
||||||
|
echo "CA certificate:"
|
||||||
|
openssl x509 -enddate -noout -in ${cacert_path} \
|
||||||
|
| cut -d '=' -f 2 \
|
||||||
|
| sed -e "s/^\(.*\)\ \(20..\).*/- \2 \1/"
|
||||||
|
}
|
||||||
|
|
||||||
|
check_certs_expiration() {
|
||||||
|
# Syntax "cmd | { while read line; do var="foo"; done echo $var }" needed, otherwise $var is empty at the end of while loop
|
||||||
|
grep ^V ${index_path} \
|
||||||
|
| awk -F "/" '{print $1,$5}' \
|
||||||
|
| awk '{print $2,$5}' \
|
||||||
|
| sed 's/CN=//' \
|
||||||
|
| sed -E 's/([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})([[:digit:]]{2})Z (.*)/- 20\1 \2 \3 \4:\5:\6 \7/' \
|
||||||
|
| awk '{if ($3 == "01") $3="Jan"; else if ($3 == "02") $3="Feb"; else if ($3 == "03") $3="Mar"; else if ($3 == "04") $3="Apr"; else if ($3 == "05") $3="May"; else if ($3 == "06") $3="Jun"; else if ($3 == "07") $3="Jul"; else if ($3 == "08") $3="Aug"; else if ($3 == "09") $3="Sep"; else if ($3 == "10") $3="Oct"; else if ($3 == "11") $3="Nov"; else if ($3 == "12") $3="Dec"; print $0;}' \
|
||||||
|
| sort -n -k 2 -k 3M -k 4 | {
|
||||||
|
while read -r line; do
|
||||||
|
|
||||||
|
# Predicting expirations - OpenBSD case (date is not the same than in Linux)
|
||||||
|
if [ "${SYSTEM}" = "openbsd" ]; then
|
||||||
|
# Already expired if expiration date is before now
|
||||||
|
if [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -le "$(date +%s)" ]; then
|
||||||
|
expired_certs="${expired_certs}$line\n"
|
||||||
|
# Expiring soon if expiration date is after now and before now + $somedays days
|
||||||
|
elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
|
||||||
|
expiring_soon_certs="${expiring_soon_certs}$line\n"
|
||||||
|
# Still valid for a time if expiration date is after now + $somedays days
|
||||||
|
elif [ "$(TZ=:Zulu date -jf "%Y %b %d %H:%M:%S" "$(echo "$line" | awk '{print $2,$3,$4,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
|
||||||
|
still_valid_certs="${still_valid_certs}$line\n"
|
||||||
|
fi
|
||||||
|
# Non OpenBSD cases
|
||||||
|
else
|
||||||
|
# Already expired if expiration date is before now
|
||||||
|
if [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -le "$(date +%s)" ]; then
|
||||||
|
expired_certs="${expired_certs}$line\n"
|
||||||
|
# Expiring soon if expiration date is after now and before now + $somedays days
|
||||||
|
elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -gt "$(date +%s)" ] && [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -lt "$(($(date +%s) + somedays))" ]; then
|
||||||
|
expiring_soon_certs="${expiring_soon_certs}$line\n"
|
||||||
|
# Still valid for a time if expiration date is after now + $somedays days
|
||||||
|
elif [ "$(TZ=:Zulu date -d "$(echo "$line" | awk '{print $3,$4,$2,$5}')" +%s)" -ge "$(($(date +%s) + somedays))" ]; then
|
||||||
|
still_valid_certs="${still_valid_certs}$line\n"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "Expired client certificates:"
|
||||||
|
echo "${expired_certs}"
|
||||||
|
echo "Valid client certificates expiring soon (in less than $((somedays / 60 / 60 / 24)) days):"
|
||||||
|
echo "${expiring_soon_certs}"
|
||||||
|
echo "Valid client certificates expiring later (in more than $((somedays / 60 / 60 / 24)) days):"
|
||||||
|
echo "${still_valid_certs}"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
main() {
|
||||||
|
SYSTEM=$(uname | tr '[:upper:]' '[:lower:]')
|
||||||
|
|
||||||
|
if [ "${SYSTEM}" = "openbsd" ]; then
|
||||||
|
carp=$(/sbin/ifconfig carp0 2>/dev/null | grep 'status' | cut -d' ' -f2)
|
||||||
|
|
||||||
|
if [ "$carp" = "backup" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
cacert_path="/etc/openvpn/ssl/ca/cacert.pem"
|
||||||
|
index_path="/etc/openvpn/ssl/ca/index.txt"
|
||||||
|
somedays="3456000" # 40 days currently
|
||||||
|
expired_certs=""
|
||||||
|
expiring_soon_certs=""
|
||||||
|
still_valid_certs=""
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
version|--version)
|
||||||
|
show_version
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
help|--help)
|
||||||
|
show_usage
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
|
||||||
|
"")
|
||||||
|
echo "Warning : all times are in UTC !"
|
||||||
|
echo ""
|
||||||
|
check_ca_expiration
|
||||||
|
echo ""
|
||||||
|
check_certs_expiration
|
||||||
|
;;
|
||||||
|
|
||||||
|
*)
|
||||||
|
show_usage >&2
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
}
|
||||||
|
|
||||||
|
main "$@"
|
||||||
|
|
Loading…
Reference in a new issue