SSL Certificate Alerts via Email
Hello,
This is my first post here and I am relatively new to this and have been lightly working with the f5 for a few years but nothing to this extent. I am trying to setup receiving emails for when my certificates are about to expire. I am trying to run this on a weekly basis using cron. I have followed:
https://community.f5.com/t5/crowdsrc/ssl-certicate-report/ta-p/278398
I am able to receive emails when doing the following command:
echo "Automated SSL Certificate Report" | mail -vs "Test Email for Automated SSL Certificate Report" my@email.com
When I try to run my script I am not able to recieve and email and not getting anything back. Here is what I have so far:
Command:
tmsh edit cli script certificatereport.tcl
Output:
modify script certificatereport.tcl {
proc script::run {} {
# Iterate through certs in files
set hostname [exec {/bin/hostname}]
set reportdate [exec {/bin/date}]
puts "---------------------------------------------------------------------"
puts "Certificate report for BIG-IP $hostname "
puts "Report Date: $reportdate"
puts "---------------------------------------------------------------------"
puts "\n\n"
set certcount 0
set certproblems 0
set certwarnings 0
foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ * ] {
incr certcount
# Get Certificate Subject
set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
# Clean up bad X509 date fields removing multiple spaces before tokenizing them
regsub -all -- {[[:space:]]+} $start " " start
regsub -all -- {[[:space:]]+} $stop " " stop
set startparts [split $start]
set stopparts [split $stop]
set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
# Date Math
if { $activatedseconds > 0 } {
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: certificate is not valid yet. It will be valid on $start."
puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
puts "---------------------------------------------------------------------"
incr certproblems
#} elseif { $expiredseconds > 0 } {
# puts "File: $file"
# puts "\tCN: $cn certificate"
# puts "\tError: is not valid because it HAS EXPIRED on $stop."
#puts "\tEXPIRED: [expr {$expiredseconds / 86400}] days ago."
#puts "---------------------------------------------------------------------"
#incr certproblems
} elseif { [expr {$expiredseconds * -1}] < 2629743 } {
# All certs that will expire within this month
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: WILL EXPIRE ON $stop."
puts "\tWILL EXPIRE IN: [expr {$expiredseconds / -86400}] days."
puts "---------------------------------------------------------------------"
incr certwarnings
}
}
puts "\n"
puts "$certcount Certificates Found"
puts "$certproblems Certificate Errors Found"
puts "$certwarnings Certificate Warnings Found"
}
}
*Note: I am able to run this using Command run cli script certificatereport.tcl and recieve the correct output
Command:
cat automated_certificate_email.sh
Output:
tmsh run cli script certificatereport.tcl > /var/tmp/certificate-out.txt
from="myf5@domain.com"
to="my@email.com"
subject="Automated SSL Certificate Report"
mail -s "$subject" -r "$from" -a "/var/tmp/certificate-out.txt" "$to"
I have not bothered with setup of the crontab configuration yet until I can run the script using the following command and actually receive the email:
Command:
./automated_certificate_email.sh
*Right now when I run this command it will create a file and put the output in the correct certificate-out.txt and I can view it using cat certificate-out.txt but it never finishes running and never send the email.
Leslie_Hubertus - I was actually able to fix the issue. I wasn't able to find anything wrong with the current configuration that I had so I went ahead with the crontab creation. I put in the following code and now I am reciving emails daily at 0801. I still cannot get it to run using ./automated_certificate_email.sh but it is sending emails and that is all that I wanted. Now to move on to more alerts.
## Section for Automated SSL Certificate Report
01 08 * * * /var/tmp/automated_certificate_email.sh
## End Section for Automated SSL Certificate Report