Forum Discussion
David_Dalgaard_
Nimbostratus
NimbostratusScript to check for certificate expiration
Hi guys
Most of you have probably been in the situation where a certificate suddenly expired without anyone noticing (or at least no one took proper action). I was in that situation a couple of ...
Héctor_J__Sánc1Nimbostratus
NimbostratusAnother update/fix:
!/bin/bash
Author: dadalife
Check if unit is active and if it is the script should continue:
ACTIVE=$(tmsh show cm failover-status | grep ACTIVE | wc -l)
if (($ACTIVE == 1)); then
echo -e "Unit is active. Proceeding...\n"
SCRIPTPATH='/root/'
MAIL=''
MAILCC=''
NUMREPORTED=0
NUMFLAGGED=0
NUMCRITICAL=0
IGNORE=('bundle')
rm -r "$SCRIPTPATH"expiringcerts.txt
Create a list of all expiring certificates:
tmsh -c "cd /; run sys crypto check-cert" | grep 'will expire' | awk -F 'in file' '{print $2}' | awk -F ' GMT' '{print $1}' >> "$SCRIPTPATH"expiringcerts.txt
echo "A list of all expiring certificates has been created!"
Send an email for each certificate if it has not already been sent:
echo -e "\nChecking for expiring certificates..."
> "$SCRIPTPATH"tempflagged.txt
while read line; do
CERT=$(echo $line | awk -F ' ' '{print $1}')
for i in "${IGNORE[@]}"
do
if [[ "$CERT" == *"$i"* ]]
then
echo "Ignoring $CERT"
continue 2
fi
done
BODY="\n\nIf it was not previously done, please create a Jira for Operations team in order to renew the certificate.\n\nIgnore this
alarm if the certificate is /Common/ca-bundle.crt\n\nThis is an auto-generated e-mail from the BIG-IP."
CERTEXPIRE=$(echo $line | awk -F 'expired on ' '{print $2}')
FLAGGED=$(cat "$SCRIPTPATH"flaggedcerts.txt | grep $CERT | wc -l)
if (( $FLAGGED == 0)); then
echo $CERT >> "$SCRIPTPATH"tempflagged.txt
echo -e "$CERT expires on $CERTEXPIRE GMT.$BODY" | mail -s "$CERT expires on $CERTEXPIRE GMT" $MAIL -c $MAILCC
echo "--> $CERT reported to servicedesk."
NUMREPORTED=$[$NUMREPORTED +1]
else
echo $CERT >> "$SCRIPTPATH"tempflagged.txt
echo "--> $CERT has already been flagged"
NUMFLAGGED=$[$NUMFLAGGED +1]
fi
done < "$SCRIPTPATH"expiringcerts.txt
cp "$SCRIPTPATH"tempflagged.txt "$SCRIPTPATH"flaggedcerts.txt
echo -e "Check for expiring certificates done!"
Check if a certificate is less than a week from expiring:
CURRENTTIMEEPOCH=$(date +%s)
echo -e "\nChecking for almost expired certificates..."
while read line; do
CERT=$(echo $line | awk -F ' ' '{print $1}')
for i in "${IGNORE[@]}"
do
if [[ "$CERT" == *"$i"* ]]
then
echo "Ignoring $CERT"
continue 2
fi
done
CERTEXPIRE=$(echo $line | awk -F 'expired on ' '{print $2}')
CERTEXPIREEPOCH=$(date --date="$CERTEXPIRE" +%s)
CERTEXPIREDIFF=$(expr $CERTEXPIREEPOCH - $CURRENTTIMEEPOCH)
if (($CERTEXPIREDIFF < 604800)); then
BODY="\n\nIf it was not previously done, please create a Jira for Operations team in order to renew the certificate.\n\nIgnore this
alarm if the certificate is /Common/ca-bundle.crt\n\nThis is an auto-generated e-mail from the BIG-IP."
echo -e "$CERT expires on $CERTEXPIRE GMT.$BODY" | mail -s "WARNING: $CERT EXPIRES IN LESS THAN A WEEK!!" $MAIL -c $MAILCC
echo "--> WARNING: $CERT EXPIRES IN LESS THAN A WEEK!!"
NUMCRITICAL=$[$NUMCRITICAL +1]
fi
done < "$SCRIPTPATH"expiringcerts.txt
echo "Check for almost expired certificates done!"
echo -e "\nCertification check done!"
Send a status email:
echo -e "Hi H&233;ctor\n\nYour script did its job!!\n\nNumber of newly reported certificates: '$NUMREPORTED'\nNumber of already flagged certificates:
'$NUMFLAGGED'\nNumber of critical certificates: '$NUMCRITICAL'\n\nYours Sincerely\nThe BIG-IP" | mail -s "Everthing went well!" $MAILCC
else
echo "Unit is standby. No action taken!"
fi
Had to change grep 'will expired' to _grep 'will expire'_, and now you can ignore certs to reduce the noise. Also removed the partition loop, you can check all certs from root dir.