adrien
351d70fc5a
|
6 months ago | |
|---|---|---|
| .gitignore | 1 year ago | |
| LICENSE | 1 year ago | |
| README.md | 12 months ago | |
| tls-checker.sh | 6 months ago | |
README.md
tls-checker
This script checks if the TLS certificate of the domain name given as argument expires in the specified seconds and sends a message to a Telegram bot.
Introduction
On CentOS, TLS certificates are installed in /etc/pki/tls/certs/domain.fr/cert.pem where domain.fr is the domain
name linked to the certificate.
The validity of a certificate can be checked in several ways. This script uses openssl x509 utility.
The following command checks if the certificate expires within the next 172800 seconds and exits nonzero if yes it will expire or zero if not.
sudo openssl x509 -checkend 172800 -in /etc/pki/tls/certs/domain.fr/cert.pem
Certificate will not expire
This script is based on this command.
Requirements
System
This script can run on any GNU/Linux machine. However, it was written for CentOS 7 or 8 (mainly for the certificate path), but you can of course change this value.
This script is made to renew certificates that have been generated using the method I describe in this article: https://illuad.fr/2020/09/07/obtain-an-elliptic-curve-certificate-from-let-s-encrypt.html.
This script uses openssl and curl commands, so make sure they are installed on your system.
The file /etc/pki/tls/certs/domain.fr/cert.pem belongs to the root user, so it is necessary to run this script with
root rights.
Software
Since a message is sent to a Telegram bot, it is necessary to have one configured. I wrote an article about this topic here: https://illuad.fr/2020/10/27/get-a-telegram-alert-on-a-ssh-login-with-pam.html
Installation
Since this script must be executed with root rights, it is a good practice to place it in /usr/local/sbin/.
curl -LOsSf https://gitea.illuad.fr/adrien/tls-checker/raw/branch/master/tls-checker.sh
sudo mv tls-checker.sh /usr/local/sbin
sudo chmod 750 /usr/local/sbin/tls-checker.sh
Create the logs' directory.
sudo mkdir -p /var/log/tls-checker
Configuration
This script requires the configuration of 4 variables to work: key, chat_id, expiration and openssl_config.
Variables key and chat_id correspond to the API key and the chat id obtained during the bot creation process.
Variable expiration corresponds to the number of seconds for which you want to know if the certificate will expire or
not. If you want to know if in 2 days (default) your certificate will expire, then you have to set expiration to 172800.
Multiply the number of days you want by 86400: 2 * 86400 = 172800, because there are 86400 seconds in 24 hours.
Variable openssl_config corresponds to the path of the custom OpenSSL configuration file. If you followed the article
mentioned above, this path is /etc/openssl.cnf.
Fast variables setting
For the key variable.
sudo sed -i "s/key=/key=<your_key>/" /usr/local/sbin/tls-checker.sh
For the chat_id variable.
sudo sed -i "s/chat_id=/chat_id=<your_chat_id>/" /usr/local/sbin/tls-checker.sh
For the expiration variable.
sudo sed -i "s/expiration=172800/expiration=<your_expiration>/" /usr/local/sbin/tls-checker.sh
For the openssl_config variable (don't forget to escape / with \).
sudo sed -i "s/openssl_config=\/etc\/openssl.cnf/openssl_config=<your_path>/" /usr/local/sbin/tls-checker.sh
Automation
Running this script automatically is a good idea, here is what you should have in the cron jobs of the root user.
sudo crontab -l
0 1 * * * /usr/local/sbin/tls-checker.sh domain.fr dev.domain.fr prod.domain.fr
Every day at 1:00 am, the script will check the validity of the certificates for the 3 domain names passed as argument.