Forum Discussion
David_Dalgaard_
Nimbostratus
NimbostratusScript to check for certificate expiration
Hi guys
Most of you have probably been in the situation where a certificate suddenly expired without anyone noticing (or at least no one took proper action). I was in that situation a couple of ...
Héctor_J__Sánc1Nimbostratus
NimbostratusAnother update/fix:
!/bin/bash
Author: dadalife
Check if unit is active and if it is the script should continue:
ACTIVE=$(tmsh show cm failover-status | grep ACTIVE | wc -l)
if (($ACTIVE == 1)); then
echo -e "Unit is active. Proceeding...\n"
SCRIPTPATH='/root/'
MAIL=''
MAILCC=''
NUMREPORTED=0
NUMFLAGGED=0
NUMCRITICAL=0
IGNORE=('bundle')
rm -r "$SCRIPTPATH"expiringcerts.txt
Create a list of all expiring certificates:
tmsh -c "cd /; run sys crypto check-cert" | grep 'will expire' | awk -F 'in file' '{print $2}' | awk -F ' GMT' '{print $1}' >> "$SCRIPTPATH"expiringcerts.txt
echo "A list of all expiring certificates has been created!"
Send an email for each certificate if it has not already been sent:
echo -e "\nChecking for expiring certificates..."
> "$SCRIPTPATH"tempflagged.txt
while read line; do
CERT=$(echo $line | awk -F ' ' '{print $1}')
for i in "${IGNORE[@]}"
do
if [[ "$CERT" == *"$i"* ]]
then
echo "Ignoring $CERT"
continue 2
fi
done
BODY="\n\nIf it was not previously done, please create a Jira for Operations team in order to renew the certificate.\n\nIgnore this
alarm if the certificate is /Common/ca-bundle.crt\n\nThis is an auto-generated e-mail from the BIG-IP."
CERTEXPIRE=$(echo $line | awk -F 'expired on ' '{print $2}')
FLAGGED=$(cat "$SCRIPTPATH"flaggedcerts.txt | grep $CERT | wc -l)
if (( $FLAGGED == 0)); then
echo $CERT >> "$SCRIPTPATH"tempflagged.txt
echo -e "$CERT expires on $CERTEXPIRE GMT.$BODY" | mail -s "$CERT expires on $CERTEXPIRE GMT" $MAIL -c $MAILCC
echo "--> $CERT reported to servicedesk."
NUMREPORTED=$[$NUMREPORTED +1]
else
echo $CERT >> "$SCRIPTPATH"tempflagged.txt
echo "--> $CERT has already been flagged"
NUMFLAGGED=$[$NUMFLAGGED +1]
fi
done < "$SCRIPTPATH"expiringcerts.txt
cp "$SCRIPTPATH"tempflagged.txt "$SCRIPTPATH"flaggedcerts.txt
echo -e "Check for expiring certificates done!"
Check if a certificate is less than a week from expiring:
CURRENTTIMEEPOCH=$(date +%s)
echo -e "\nChecking for almost expired certificates..."
while read line; do
CERT=$(echo $line | awk -F ' ' '{print $1}')
for i in "${IGNORE[@]}"
do
if [[ "$CERT" == *"$i"* ]]
then
echo "Ignoring $CERT"
continue 2
fi
done
CERTEXPIRE=$(echo $line | awk -F 'expired on ' '{print $2}')
CERTEXPIREEPOCH=$(date --date="$CERTEXPIRE" +%s)
CERTEXPIREDIFF=$(expr $CERTEXPIREEPOCH - $CURRENTTIMEEPOCH)
if (($CERTEXPIREDIFF < 604800)); then
BODY="\n\nIf it was not previously done, please create a Jira for Operations team in order to renew the certificate.\n\nIgnore this
alarm if the certificate is /Common/ca-bundle.crt\n\nThis is an auto-generated e-mail from the BIG-IP."
echo -e "$CERT expires on $CERTEXPIRE GMT.$BODY" | mail -s "WARNING: $CERT EXPIRES IN LESS THAN A WEEK!!" $MAIL -c $MAILCC
echo "--> WARNING: $CERT EXPIRES IN LESS THAN A WEEK!!"
NUMCRITICAL=$[$NUMCRITICAL +1]
fi
done < "$SCRIPTPATH"expiringcerts.txt
echo "Check for almost expired certificates done!"
echo -e "\nCertification check done!"
Send a status email:
echo -e "Hi Héctor\n\nYour script did its job!!\n\nNumber of newly reported certificates: '$NUMREPORTED'\nNumber of already flagged certificates:
'$NUMFLAGGED'\nNumber of critical certificates: '$NUMCRITICAL'\n\nYours Sincerely\nThe BIG-IP" | mail -s "Everthing went well!" $MAILCC
else
echo "Unit is standby. No action taken!"
fi
Had to change grep 'will expired' to grep 'will expire', and now you can ignore certs to reduce the noise. Also removed the partition loop, you can check all certs from root dir.
