SSL Certificate Report
Problem this snippet solves:
This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes.
Code :
cli script certificatereport.tcl {
proc script::run {} {
# Iterate through certs in files
set hostname [exec {/bin/hostname}]
set reportdate [exec {/bin/date}]
puts "---------------------------------------------------------------------"
puts "Certificate report for BIG-IP $hostname "
puts "Report Date: $reportdate"
puts "---------------------------------------------------------------------"
puts "\n\n"
set certcount 0
set certproblems 0
set certwarnings 0
foreach file [glob -directory /config/ssl/ssl.crt/ *.crt] {
incr certcount
# Get Certificate Subject
set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
# Clean up bad X509 date fields removing multiple spaces before tokenizing them
regsub -all -- {[[:space:]]+} $start " " start
regsub -all -- {[[:space:]]+} $stop " " stop
set startparts [split $start]
set stopparts [split $stop]
set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
# Date Math
if { $activatedseconds > 0 } {
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: certificate is not valid yet. It will be valid on $start."
puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
puts "---------------------------------------------------------------------"
incr certproblems
} elseif { $expiredseconds > 0 } {
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: is not valid because it expired on $stop."
puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
puts "---------------------------------------------------------------------"
incr certproblems
} elseif { [expr {$expiredseconds * -1}] < 2629743 } {
# All certs that will expire within this month
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: is not valid because it expired on $stop."
puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
puts "---------------------------------------------------------------------"
incr certwarnings
}
}
puts "\n"
puts "$certcount Certificates Found"
puts "$certproblems Certificate Errors Found"
puts "$certwarnings Certificate Warnings Found"
}
}Published Mar 10, 2015
Version 1.0
jaikumar_f5MVP
Hi Mohammed,
Can you pls run the below cmd & list the files,
ls -ltrh config/filestore/files_d/Common_d/certificate_d/*I believe ur on v12, not sure if the cert location in v12 is different.
- Mohammed_M_Irfa
Nimbostratus
Hi Jaikumar,
Please find the below output.
[root@BIG-IP_A_v12:Active:Standalone] config [root@BIG-IP_A_v12:Active:Standalone] config ls -ltrh config/filestore/files_d/Common_d/certificate_d/* ls: cannot access config/filestore/files_d/Common_d/certificate_d/*: No such file or directoryRunning 12.1.2 Virtual Edition
[root@BIG-IP_A_v12:Active:Standalone] config tmsh show sys version Sys::Version Main Package Product BIG-IP Version 12.1.2 Build 0.0.249 Edition Final Date Wed Nov 30 16:04:00 PST 2016 - Mohammed_M_Irfa
Hi Jaikumar,
I have run the below command to verify the directory! and found three certificates listed below.
[root@BIG-IP_A_v12:Active:Standalone] config cd filestore/files_d/Common_d/certificate_d/ [root@BIG-IP_A_v12:Active:Standalone] certificate_d ls *.crt_* :Common:ca-bundle.crt_19697_1 :Common:default.crt_19695_1 :Common:f5-irule.crt_19693_1If I change the directory path as show in starting script i.e. -directory /config/ssl/ssl.crt/ *.crt, then also I don't find the output.
[root@BIG-IP_A_v12:Active:Standalone] config cd /config/ssl/ssl.crt/ [root@BIG-IP_A_v12:Active:Standalone] ssl.crt ls *.crt_* ls: cannot access *.crt_*: No such file or directory [root@BIG-IP_A_v12:Active:Standalone] ssl.crt [root@BIG-IP_A_v12:Active:Standalone] ssl.crt [root@BIG-IP_A_v12:Active:Standalone] ssl.crt [root@BIG-IP_A_v12:Active:Standalone] ssl.crt ls ca-bundle.crt default.crt dtca-bundle.crt dtca.crt dtdi.crt f5-irule.crt - jaikumar_f5
Then the script is working totally fine,
(tmos) run cli script certificatereport.tcl Certificate report for BIG-IP BIG-IP_A_v12.com Report Date: Wed Nov 7 21:17:40 IST 2018 3 Certificates FoundBecause there's just 3 certs only. Can you run this command as well,
tmsh show sys crypto cert all - Mohammed_M_Irfa
Hi Jaikumar,
I got the results!, I have create new expire SSL cert for next 6days, 7days, 8days and 10days. and by default their 3 more ssl cert.
Thanks for support and responding!!!
root@(BIG-IP_A_v12)(cfg-sync Standalone)(Active)(/Common)(tmos) run cli script certificatereport.tcl --------------------------------------------------------------------- Certificate report for BIG-IP BIG-IP_A_v12.com Report Date: Fri Nov 9 23:51:57 IST 2018 --------------------------------------------------------------------- File: /config/filestore/files_d/Common_d/certificate_d/:Common:Test_10days.com.crt_39448_1 CN: Test_10days.com certificate Error: is not valid because it expired on Nov 19 09:52:09 2018 GMT. Will Expired in: 9 days. --------------------------------------------------------------------- File: /config/filestore/files_d/Common_d/certificate_d/:Common:Test_8days.com.crt_39442_1 CN: Test_8days.com certificate Error: is not valid because it expired on Nov 17 09:51:48 2018 GMT. Will Expired in: 7 days. --------------------------------------------------------------------- File: /config/filestore/files_d/Common_d/certificate_d/:Common:Test_6days.com.crt_39416_1 CN: Test_6days.com certificate Error: is not valid because it expired on Nov 15 09:50:07 2018 GMT. Will Expired in: 5 days. --------------------------------------------------------------------- File: /config/filestore/files_d/Common_d/certificate_d/:Common:Test_7days.com.crt_39436_1 CN: Test_7days.com certificate Error: is not valid because it expired on Nov 16 09:51:28 2018 GMT. Will Expired in: 6 days. --------------------------------------------------------------------- 7 Certificates Found 0 Certificate Errors Found 4 Certificate Warnings FoundOne question still remains same, as i was looking for SSL Cert Expire within 7days or less than.
As you can see in output, i am getting all the SSL Cert Expire i.e. 6, 7, 8, 10 Days, respectively.
My expecting result is 6 and 7 days SSL Cert should be appear.
- jaikumar_f5
I have answered in your thread, hope it helps.
 
Sumit7595_36869Hi Jaikumar,
How to have this script run automatically every month and get the details through an email?
Regards, Sumit
Sumit_Kumar_DubHi Jaikumar,
How to have this script run automatically every month and get the details through an email?
Earlier Jason Adams mentioned to convert this script to icall script to achieve this but now i am not able to find his comment here.
Could you please help.
Regards,
Sumit D
- jaikumar_f5
Hi Sumit,
First you'll need to have the smtp configuration set on your bigip. You can follow this below link - https://support.f5.com/csp/article/K13180
Once that is set up, try testing a mail. If you receive the test mail, your smtp is configured properly.
I personally use a remote server as a jump server and run the script in multiple bigip's. In this way I need not configure multiple machines. And the output I get is locally saved on the remote machine itself. On the remote machine, I use sendmail or mail to simply send the output as attachment. As this remote server is already configured with smtp configuration.
- Sumit_Kumar_Dub
Hi Jaikumar,
Thanks for the update. I am able to configure smtp on BIG IP LTM and i am able to receive the email as well. Now My second requirement is to execute this script every month and that too automatically and get the output on my email. Could you please help me to achieve this.
Regards,
Sumit D