diff options
| author | Luke Bratch <luke@bratch.co.uk> | 2018-11-21 22:38:13 +0000 |
|---|---|---|
| committer | Luke Bratch <luke@bratch.co.uk> | 2018-11-21 22:38:13 +0000 |
| commit | 123dd5844901cbfa2abd49cdb21989b7b4c5c296 (patch) | |
| tree | 7ee56091a330f463efdd6e4609f795636424b52d | |
Initial commit
| -rwxr-xr-x | certexpiry.sh | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/certexpiry.sh b/certexpiry.sh new file mode 100755 index 0000000..aa034ba --- /dev/null +++ b/certexpiry.sh @@ -0,0 +1,75 @@ +#!/bin/bash +set -euo pipefail + +# ==== Variables ==== +# Output warning if fewer than this number of seconds until expiry +WARNSECONDS=1209600 # Two weeks +# Bash array of host:port combinations to be checked +HOSTSANDPORTS=(irc.tghost.co.uk:6697 irc.lc8n.com:6697 irc.pgburton.com:6697 www.tghost.co.uk mail.tghost.co.uk:25 \ + mail.tghost.co.uk:143 mail.tghost.co.uk mumble.tghost.co.uk:64738 bladns.net www.lc8n.com \ + www.blatech.net upload.bratch.co.uk www.nokiaplan3.com davmail.tghost.co.uk:1143 bcal.tghost.co.uk \ + www.blaupload.co.uk up.org.je) +# ==== Variables ==== + +# Loop through all host:port combinations +for HOSTANDPORT in "${HOSTSANDPORTS[@]}" ; do + +# echo "DEBUG: HOSTANDPORT: $HOSTANDPORT." + + # Host before colon + HOST=$(echo "$HOSTANDPORT" | cut -d ":" -f "1") + # Port after colon, or nothing if no port given (assumes 443 later on) + PORT=$(echo "$HOSTANDPORT" | cut -s -d ":" -f "2") + +# echo "DEBUG: HOST: $HOST." + + # Assume no STARTTLS (unless special ports later on) + STARTTLS="" + + if [ "$PORT" = "" ] ; then + # Assume 443 if not port specified + PORT=443 + elif [ "$PORT" -eq 25 ] ; then + # Assume SMTP STARTTLS if port 25 + STARTTLS="-starttls smtp" + elif [ "$PORT" -eq 143 ] ; then + # Assume IMAP STARTTLS if port 143 + STARTTLS="-starttls imap" + fi + +# echo "DEBUG: PORT: $PORT." +# echo "DEBUG: STARTTLS: $STARTTLS." + + # Try various TLS versions against this host:port to try and get a response + RETCODE=1 + for PROTOCOL in -tls1_2 -tls1_1 -tls1 ; do + if [ "$RETCODE" -eq 0 ] ; then + break + fi + set +e + # Get the "Not After" field for the certificate expiry + EXPIRYSTRING=$(echo "Q" | openssl s_client $STARTTLS -connect "$HOST:$PORT" -servername "$HOST" "$PROTOCOL" 2> /dev/null | openssl x509 -noout -text 2> /dev/null | grep "Not After" | sed -r 's/\s*Not After : //') + RETCODE="$?" + set -e + done + +# echo "DEBUG: EXPIRYSTRING: $EXPIRYSTRING." + + # Convert expiry into unixtime + EXPIRY=$(date -d "$EXPIRYSTRING" +%s) +# echo "DEBUG: EXPIRY: $EXPIRY." + NOW=$(date +%s) +# echo "DEBUG: NOW: $NOW." + + # Number of seconds left + DIFFERENCE=$(expr "$EXPIRY" - "$NOW") +# echo "DEBUG: DIFFERENCE: $DIFFERENCE." + + # Warn if less than WARNSECONDS less + if [ "$DIFFERENCE" -lt "$WARNSECONDS" ] ; then + echo "Warning! The certificate at $HOST:$PORT expires in $DIFFERENCE seconds (~$(expr $DIFFERENCE / 60 / 60 / 24) days)." +# else +# echo "DEBUG: The certificate at $HOST:$PORT expires in $DIFFERENCE seconds (~$(expr $DIFFERENCE / 60 / 60 / 24) days)." + fi + +done |