This script checks if the TLS certificate of the domain name given as argument expires in the specified seconds and sends a message to a Telegram bot.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
adrien 44930cf08d
Add checks if required tools are installed and log functionality
3 weeks ago
LICENSE First commit 1 year ago
README.md Add checks if required tools are installed and log functionality 3 weeks ago
tls-checker Add checks if required tools are installed and log functionality 3 weeks ago

README.md

tls-checker

This script checks if the TLS certificate of the domain name given as argument expires in the specified seconds and sends a message to a Telegram bot.

Introduction

On CentOS, TLS certificates are installed in /etc/pki/tls/certs/domain.fr/cert.pem where domain.fr is the domain name linked to the certificate.

The validity of a certificate can be checked in several ways. This script uses openssl x509 utility.

The following command checks if the certificate expires within the next 172800 seconds and exits nonzero if yes it will expire or zero if not.

sudo openssl x509 -checkend 172800 -in /etc/pki/tls/certs/domain.fr/cert.pem
Certificate will not expire

This script is based on this command.

Requirements

System

This script can run on any GNU/Linux machine. However it was written for CentOS 7 or 8 (mainly for the certificate path), but you can of course change this value.

This script is made to renew certificates that have been generated using the method I describe in this article: https://illuad.fr/2020/09/07/obtain-an-elliptic-curve-certificate-from-let-s-encrypt.html.

This script uses openssl and curl commands, so make sure they are installed on your system.

The file /etc/pki/tls/certs/domain.fr/cert.pem belongs to the root user, so it is necessary to run this script with root rights.

Software

Since a message is sent to a Telegram bot, it is necessary to have one configured. I wrote an article about this topic here: https://illuad.fr/2020/10/27/get-a-telegram-alert-on-a-ssh-login-with-pam.html

Installation

Since this script must be executed with root rights, it is a good practice to place it in /usr/local/sbin/.

sudo curl -Lo /usr/local/sbin/tls-checker -sSf https://gitea.illuad.fr/adrien/tls-checker/raw/branch/master/tls-checker
sudo chmod 750 /usr/local/sbin/tls-checker

Create the logs' directory.

sudo mkdir -p /var/log/tls-checker

Configuration

This script requires the configuration of 4 variables to work: key, chat_id, expiration and openssl_config.

Variables key and chat_id correspond to the API key and the chat id obtained during the bot creation process. Variable expiration corresponds to the number of seconds for which you want to know if the certificate will expire or not. If you want to know if in 2 days (default) your certificate will expire, then you have to set expiration to 172800. Multiply the number of days you want by 86400: 2 * 86400 = 172800, because there are 86400 seconds in 24 hours. Variable openssl_config corresponds to the path of the custom OpenSSL configuration file. If you followed the article mentioned above, this path is /etc/openssl.cnf.

Fast variables setting

For the key variable.

sudo sed -i "s/key=/key=<your_key>/" /usr/local/sbin/tls-checker

For the chat_id variable.

sudo sed -i "s/chat_id=/chat_id=<your_chat_id>/" /usr/local/sbin/tls-checker

For the expiration variable.

sudo sed -i "s/expiration=172800/expiration=<your_expiration>/" /usr/local/sbin/tls-checker

For the openssl_config variable (don't forget to escape / with \).

sudo sed -i "s/openssl_config=\/etc\/openssl.cnf/openssl_config=<your_path>/" /usr/local/sbin/tls-checker

Automation

Running this script automatically is a good idea, here is what you should have in the cron jobs of the root user.

sudo crontab -l
0 1 * * * /usr/local/sbin/tls-checker domain.fr dev.domain.fr prod.domain.fr

Every day at 1:00 am, the script will check the validity of the certificates for the 3 domain names passed as argument.