Forum Discussion

Tyler_Nelson's avatar
Tyler_Nelson
Icon for Altostratus rankAltostratus
Jun 13, 2022
Solved

SSL Certificate Alerts via Email

Hello, 

This is my first post here and I am relatively new to this and have been lightly working with the f5 for a few years but nothing to this extent. I am trying to setup receiving emails for when my certificates are about to expire. I am trying to run this on a weekly basis using cron. I have followed:

https://community.f5.com/t5/crowdsrc/ssl-certicate-report/ta-p/278398

I am able to receive emails when doing the following command:

echo "Automated SSL Certificate Report" | mail -vs "Test Email for Automated SSL Certificate Report" my@email.com

When I try to run my script I am not able to recieve and email and not getting anything back. Here is what I have so far: 

Command:
tmsh edit cli script certificatereport.tcl
Output: 

modify script certificatereport.tcl {
proc script::run {} {
# Iterate through certs in files
set hostname [exec {/bin/hostname}]
set reportdate [exec {/bin/date}]

puts "---------------------------------------------------------------------"
puts "Certificate report for BIG-IP $hostname "
puts "Report Date: $reportdate"
puts "---------------------------------------------------------------------"
puts "\n\n"

set certcount 0
set certproblems 0
set certwarnings 0

foreach file [glob -directory /config/filestore/files_d/Common_d/certificate_d/ * ] {
incr certcount
# Get Certificate Subject
set cn [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-subject" "|" "grep" "subject"] "=" ] end]
set start [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-startdate" "|" "grep" "Before"] '='] 1]
set stop [lindex [split [exec "/usr/bin/openssl" "x509" "-in" $file "-enddate" "|" "grep" "After"] '='] 1]
# Clean up bad X509 date fields removing multiple spaces before tokenizing them
regsub -all -- {[[:space:]]+} $start " " start
regsub -all -- {[[:space:]]+} $stop " " stop
set startparts [split $start]
set stopparts [split $stop]
set activatedseconds [expr {[clock scan "[lindex $startparts 0] [lindex $startparts 1], [lindex $startparts 3]"] - [clock seconds]}]
set expiredseconds [expr {[clock seconds] - [clock scan "[lindex $stopparts 0] [lindex $stopparts 1], [lindex $stopparts 3]"]}]
# Date Math
if { $activatedseconds > 0 } {
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: certificate is not valid yet. It will be valid on $start."
puts "\tActivates in: [expr {$activatedseconds / 86400}] days."
puts "---------------------------------------------------------------------"
incr certproblems
#} elseif { $expiredseconds > 0 } {
# puts "File: $file"
# puts "\tCN: $cn certificate"
# puts "\tError: is not valid because it HAS EXPIRED on $stop."
#puts "\tEXPIRED: [expr {$expiredseconds / 86400}] days ago."
#puts "---------------------------------------------------------------------"
#incr certproblems
} elseif { [expr {$expiredseconds * -1}] < 2629743 } {
# All certs that will expire within this month
puts "File: $file"
puts "\tCN: $cn certificate"
puts "\tError: WILL EXPIRE ON $stop."
puts "\tWILL EXPIRE IN: [expr {$expiredseconds / -86400}] days."
puts "---------------------------------------------------------------------"
incr certwarnings
}
}
puts "\n"
puts "$certcount Certificates Found"
puts "$certproblems Certificate Errors Found"
puts "$certwarnings Certificate Warnings Found"
}
}

*Note: I am able to run this using Command run cli script certificatereport.tcl and recieve the correct output

Command:

cat automated_certificate_email.sh 

Output:

tmsh run cli script certificatereport.tcl > /var/tmp/certificate-out.txt
from="myf5@domain.com"
to="my@email.com"
subject="Automated SSL Certificate Report"
mail -s "$subject" -r "$from" -a "/var/tmp/certificate-out.txt" "$to"

I have not bothered with setup of the crontab configuration yet until I can run the script using the following command and actually receive the email:

Command:

./automated_certificate_email.sh

*Right now when I run this command it will create a file and put the output in the correct certificate-out.txt and I can view it using cat certificate-out.txt but it never finishes running and never send the email.

 

  • Tyler_Nelson's avatar
    Tyler_Nelson
    Jun 27, 2022

    Leslie_Hubertus - I was actually able to fix the issue. I wasn't able to find anything wrong with the current configuration that I had so I went ahead with the crontab creation. I put in the following code and now I am reciving emails daily at 0801. I still cannot get it to run using ./automated_certificate_email.sh but it is sending emails and that is all that I wanted. Now to move on to more alerts.

    ## Section for Automated SSL Certificate Report
    01 08 * * * /var/tmp/automated_certificate_email.sh
    ## End Section for Automated SSL Certificate Report

     

5 Replies

    • Tyler_Nelson's avatar
      Tyler_Nelson
      Icon for Altostratus rankAltostratus

      I have done this as well however, this does not give me the automation that I am looking for.

  • Hey Tyler_Nelson - following up on this... were you able to resolve your issue, or are you still not getting the automation you're looking for?

    • Tyler_Nelson's avatar
      Tyler_Nelson
      Icon for Altostratus rankAltostratus

      Leslie_Hubertus - I was actually able to fix the issue. I wasn't able to find anything wrong with the current configuration that I had so I went ahead with the crontab creation. I put in the following code and now I am reciving emails daily at 0801. I still cannot get it to run using ./automated_certificate_email.sh but it is sending emails and that is all that I wanted. Now to move on to more alerts.

      ## Section for Automated SSL Certificate Report
      01 08 * * * /var/tmp/automated_certificate_email.sh
      ## End Section for Automated SSL Certificate Report

       

      • Leslie_Hubertus's avatar
        Leslie_Hubertus
        Ret. Employee

        Glad it worked out eventually!  Thanks for the update; hopefully it'll come in handy for another user.