SSL Certificate Report
Problem this snippet solves:
This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes.
Code :
cli script certificatereport.tcl { proc script::run {} { # Iterate through certs in files set hostname [exec {/bin/hostname}] set reportdate [exec {/bin/date}] puts "---------------------------------------------------------------------" puts "Certificate report for BIG-IP $hostname " puts "Report Date: $reportdate" puts "---------------------------------------------------------------------" puts "\n\n" set certcount 0 set certproblems 0 set certwarnings 0 foreach file [glob -directory /config/ssl/ssl.crt/ *.crt] { incr certcount # Get Certificate Subject set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end] set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1] set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1] # Clean up bad X509 date fields removing multiple spaces before tokenizing them regsub -all -- {[[:space:]]+} $start " " start regsub -all -- {[[:space:]]+} $stop " " stop set startparts [split $start] set stopparts [split $stop] set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}] set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}] # Date Math if { $activatedseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: certificate is not valid yet. It will be valid on $start." puts "\tActivates in: [expr {$activatedseconds / 86400}] days." puts "---------------------------------------------------------------------" incr certproblems } elseif { $expiredseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: is not valid because it expired on $stop." puts "\tExpired: [expr {$expiredseconds / 86400}] days ago." puts "---------------------------------------------------------------------" incr certproblems } elseif { [expr {$expiredseconds * -1}] < 2629743 } { # All certs that will expire within this month puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: is not valid because it expired on $stop." puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days." puts "---------------------------------------------------------------------" incr certwarnings } } puts "\n" puts "$certcount Certificates Found" puts "$certproblems Certificate Errors Found" puts "$certwarnings Certificate Warnings Found" } }
- Sumit_Kumar_DubNimbostratus
In addition to above comment-
I am able to save the output to /var/tmp/cert-output.txt
But i need to execute the script automatically every month and get the report through an email. How can we achieve this?
- Sumit_Kumar_DubNimbostratus
Hi All,
I need help to configure cron job to run below two commands on hourly basis. Could you please help me with the steps:
tmsh run cli script certificatereports.tcl > /var/tmp/cert-outputs.txt
echo "Message Body Here" | mailx -s "Subject Here" -a cert-outputs.txt name@domain.com
Hi Sumit,
Apologies on the late reply, Good to know that you already have smtp set.
The next easy step is to put a small script with any mail agent (sendmail or mail or mailx) and have that script run on cron for every month.
Goto /var/tmp/ and create a file as automatecertificatereports.sh.
Add the below code inside the automatecertificatereports.sh file.
#!/bin/sh tmsh run cli script certificatereports.tcl > /var/tmp/cert-outputs.txt from="abc@domain.com" to="abc@domain.com,pqr@domain.com,xyz@domain.com" subject="Automated SSL Certificate Report" mail -s "$subject" -r "$from" -a "/var/tmp/cert-outputs.txt" "$to" << EOF Hi Team, Please find the attached SSL Certificate Report. Thanks & Regards, abc@domain.com EOF
Change the permission to executable one.
chmod +x automatecertificatereports.sh
Now goto your crontab & do a list first to see the existing cron jobs running.
crontab -l
You should see some couple of disk monitors check etc etc.
Always put some good comments before you make an entry of your cronjob, Use crontab -e to edit/add your entries.
crontab -e
Goto the of the section and the below 2 lines,
## Section for Automated SSL Certificate Report - Monthly Cron - Start of month - 6 O'clk ## 0 6 1 * * /usr/bin/bash /var/tmp/automatecertificatereports.sh
You can edit this cron value according to your need. For testing, try running this for every day 1 AM report - 0 1 * * *
Hope this helps. Let us know if you have more concerns.