SSL Certificate Report
Problem this snippet solves:
This script creates a text report detailing all invalid or soon to expire certificates in /config/ssl/ssl.crt/ using openssl to write out the certificate attributes.
Code :
cli script certificatereport.tcl {
proc script::run {} {
# Iterate through certs in files
set hostname [exec {/bin/hostname}]
set reportdate [exec {/bin/date}]
puts "---------------------------------------------------------------------"
puts "Certificate report for BIG-IP $hostname "
puts "Report Date: $reportdate"
puts "---------------------------------------------------------------------"
puts "\n\n"
set certcount 0
set certproblems 0
set certwarnings 0
foreach file [glob -directory /config/ssl/ssl.crt/ *.crt] {
incr certcount
# Get Certificate Subject
set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
# Clean up bad X509 date fields removing multiple spaces before tokenizing them
regsub -all -- {[[:space:]]+} $start " " start
regsub -all -- {[[:space:]]+} $stop " " stop
set startparts [split $start]
set stopparts [split $stop]
set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
# Date Math
if { $activatedseconds > 0 } {
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: certificate is not valid yet. It will be valid on $start."
puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
puts "---------------------------------------------------------------------"
incr certproblems
} elseif { $expiredseconds > 0 } {
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: is not valid because it expired on $stop."
puts "\tExpired: [expr {$expiredseconds / 86400}] days ago."
puts "---------------------------------------------------------------------"
incr certproblems
} elseif { [expr {$expiredseconds * -1}] < 2629743 } {
# All certs that will expire within this month
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: is not valid because it expired on $stop."
puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days."
puts "---------------------------------------------------------------------"
incr certwarnings
}
}
puts "\n"
puts "$certcount Certificates Found"
puts "$certproblems Certificate Errors Found"
puts "$certwarnings Certificate Warnings Found"
}
}
CirrostratusCirrostratus23 Comments
jaikumar_f5Noctilucent
I am getting the below error for v11.x version. The cert path had been changed to certificate_d/
certificatereport.tcl: script failed to complete: can't eval proc: "script::run" unable to convert date-time string "Jul , 16:06:24" while executing "clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"" (procedure "script::run" line 23) invoked from within "script::run" line:1 script did not successfully complete, status:1I updated the script to:
1 - Enclose all 'exec' command statements in curly braces. 2 - Resolve the formatting of the regsub commands:
FROM:
regsub -all -- {[['''space''']]+} $start " " start regsub -all -- {[['''space''']]+} $stop " " stopTO:
regsub -all -- {[[:space:]]+} $start " " start regsub -all -- {[[:space:]]+} $stop " " stopI suspect this occurred during a DevCentral update at some point, so hope this is still helpful.
NOTE: There is a built-in command for this as well:
tmsh run sys crypto check-cert { log enabled stdout enabled verbose enabled }For help on the command:
tmsh help sys crypto check-cert- jaikumar_f5
Works like charm now. Thank you. I had to remove the total-signing-status not-all-signed from the script to make it work. It was throwing with errors.
Syntax Error: "total-signing-status" read-only propertyBut its weird it got auto added post I saved.
:Active:In Sync] tmsh list cli script certificatereport.tcl cli script certificatereport.tcl { proc script::run {} { Iterate through certs in files set hostname [exec {/bin/hostname}] set reportdate [exec {/bin/date}] puts "---------------------------------------------------------------------" puts "Certificate report for BIG-IP $hostname " puts "Report Date: $reportdate" puts "---------------------------------------------------------------------" puts "\n\n" set certcount 0 set certproblems 0 set certwarnings 0 foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ *.crt_*] { incr certcount Get Certificate Subject set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end] set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1] set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1] Clean up bad X509 date fields removing multiple spaces before tokenizing them regsub -all -- {[[:space:]]+} $start " " start regsub -all -- {[[:space:]]+} $stop " " stop set startparts [split $start] set stopparts [split $stop] set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}] set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}] Date Math if { $activatedseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: certificate is not valid yet. It will be valid on $start." puts "\tActivates in: [expr {$activatedseconds / 86400}] days." puts "---------------------------------------------------------------------" incr certproblems } elseif { $expiredseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: is not valid because it expired on $stop." puts "\tExpired: [expr {$expiredseconds / 86400}] days ago." puts "---------------------------------------------------------------------" incr certproblems } elseif { [expr {$expiredseconds * -1}] < 2629743 } { All certs that will expire within this month puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: is not valid because it expired on $stop." puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days." puts "---------------------------------------------------------------------" incr certwarnings } } puts "\n" puts "$certcount Certificates Found" puts "$certproblems Certificate Errors Found" puts "$certwarnings Certificate Warnings Found" } total-signing-status not-all-signed } - Mohammed_M_Irfa
Nimbostratus
Hi Jaikumar,
I am getting an error while creating tcl file.
Error: Syntax Error: "total-signing-status" is a read-only property
Shall i too remove that line from script which you said.
can you please explain why we need to remove it
Thanks
- Mohammed_M_Irfa
Hi Janson,
I have create cli script tcl file and pasted the shared above scrip.
i am new in this, can you please help me in finding the output.
/var/log/ltm ? is this path where i can see the expire SSL certificates or else?
Thanks
Mohammed
Samir_Jha_52506Can you check the folder where
has created(Just guessing) Or grep the cert name in /config filecertificatereport.tclEx: grep certa* .
- Mohammed_M_Irfa
No , i am not getting the output in log file.
/var/log
cat ltm | grep certa*
No Logs
- jaikumar_f5
Hi Mohammed,
This is a cli script, when you execute the above shared script, it will not save the output in the /var/log/ path. The output will be in console itself.
:Active:In Sync] ~ tmsh run cli script certificatereport.tcl --------------------------------------------------------------------- Certificate report for BIG-IP hostname.company.com Report Date: Tue Nov 6 15:16:32 GMT 2018 --------------------------------------------------------------------- File: /config/filestore/files_d/Common_d/certificate_d/:Common:application_name.crt CN: abc.com certificate Error: is not valid because it expired on Oct 3 13:30:09 2018 GMT. Expired: 10 days ago. ---------------------------------------------------------------------If you require the output to be saved in the /var/ path, it requires modification. I will explain step-by-step of this existing sript, It will look something like below,
Please follow the below steps to create the script,
1st step is to create cli script, inside the tmsh, run the create cli script command,
(Active)(/Common)(tmos) create cli script certificatereport.tclOnce you hit enter, you'll see something like below - these are default 4 procedures,
create script certificatereport.tcl { proc script::init {} { } proc script::run {} { } proc script::help {} { } proc script::tabc {} { } }Since we have the script already, just delete all the lines, once you delete, it will be something like below,
create script certificatereport.tcl { }Now paste the code, so the final script will look something like below,
create script certificatereport.tcl { proc script::run {} { Iterate through certs in files set hostname [exec {/bin/hostname}] set reportdate [exec {/bin/date}] puts "---------------------------------------------------------------------" puts "Certificate report for BIG-IP $hostname " puts "Report Date: $reportdate" puts "---------------------------------------------------------------------" puts "\n\n" set certcount 0 set certproblems 0 set certwarnings 0 foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ *.crt_*] { incr certcount Get Certificate Subject set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end] set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1] set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1] Clean up bad X509 date fields removing multiple spaces before tokenizing them regsub -all -- {[[:space:]]+} $start " " start regsub -all -- {[[:space:]]+} $stop " " stop set startparts [split $start] set stopparts [split $stop] set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}] set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}] Date Math if { $activatedseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: certificate is not valid yet. It will be valid on $start." puts "\tActivates in: [expr {$activatedseconds / 86400}] days." puts "---------------------------------------------------------------------" incr certproblems } elseif { $expiredseconds > 0 } { puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: is not valid because it expired on $stop." puts "\tExpired: [expr {$expiredseconds / 86400}] days ago." puts "---------------------------------------------------------------------" incr certproblems } elseif { [expr {$expiredseconds * -1}] < 2629743 } { All certs that will expire within this month puts "File: $file" puts "\tCN: $cn certificate" puts "\tError: is not valid because it expired on $stop." puts "\tWill Expired in: [expr {$expiredseconds / -86400}] days." puts "---------------------------------------------------------------------" incr certwarnings } } puts "\n" puts "$certcount Certificates Found" puts "$certproblems Certificate Errors Found" puts "$certwarnings Certificate Warnings Found" } }Press esc, save and quit.
Finally run your script,
:Active:In Sync] ~ tmsh run cli script certificatereport.tcl --------------------------------------------------------------------- Certificate report for BIG-IP hostname.company.com Report Date: Tue Nov 6 15:16:32 GMT 2018 --------------------------------------------------------------------- File: /config/filestore/files_d/Common_d/certificate_d/:Common:application_name.crt CN: abc.com certificate Error: is not valid because it expired on Oct 3 13:30:09 2018 GMT. Expired: 10 days ago. --------------------------------------------------------------------- - jaikumar_f5
To get your output in a file, you can try this, this is easy way to do rather than modifying the script.
Active:In Sync] ~ > /var/tmp/cert-output.txt Active:In Sync] ~ tmsh run cli script certificatereport.tcl > /var/tmp/cert-output.txt - Mohammed_M_Irfa
Hi Jaikumar,
Thanks for the detail steps. I followed the step by step. i have run script but i don't found any of "will expire" or "Expired on"
(tmos) run cli script certificatereport.tcl
Certificate report for BIG-IP BIG-IP_A_v12.com
Report Date: Wed Nov 7 21:17:40 IST 2018
3 Certificates Found
0 Certificate Errors Found
0 Certificate Warnings Found
Can you please help to resolve this!
