From 123dd5844901cbfa2abd49cdb21989b7b4c5c296 Mon Sep 17 00:00:00 2001
From: Luke Bratch <luke@bratch.co.uk>
Date: Wed, 21 Nov 2018 22:38:13 +0000
Subject: Initial commit

---
 certexpiry.sh | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100755 certexpiry.sh

diff --git a/certexpiry.sh b/certexpiry.sh
new file mode 100755
index 0000000..aa034ba
--- /dev/null
+++ b/certexpiry.sh
@@ -0,0 +1,75 @@
+#!/bin/bash
+set -euo pipefail
+
+# ==== Variables ====
+# Output warning if fewer than this number of seconds until expiry
+WARNSECONDS=1209600 # Two weeks
+# Bash array of host:port combinations to be checked
+HOSTSANDPORTS=(irc.tghost.co.uk:6697 irc.lc8n.com:6697 irc.pgburton.com:6697 www.tghost.co.uk mail.tghost.co.uk:25 \
+               mail.tghost.co.uk:143 mail.tghost.co.uk mumble.tghost.co.uk:64738 bladns.net www.lc8n.com \
+               www.blatech.net upload.bratch.co.uk www.nokiaplan3.com davmail.tghost.co.uk:1143 bcal.tghost.co.uk \
+               www.blaupload.co.uk up.org.je)
+# ==== Variables ====
+
+# Loop through all host:port combinations
+for HOSTANDPORT in "${HOSTSANDPORTS[@]}" ; do
+
+#  echo "DEBUG: HOSTANDPORT: $HOSTANDPORT."
+
+  # Host before colon
+  HOST=$(echo "$HOSTANDPORT" | cut -d ":" -f "1")
+  # Port after colon, or nothing if no port given (assumes 443 later on)
+  PORT=$(echo "$HOSTANDPORT" | cut -s -d ":" -f "2")
+
+#  echo "DEBUG: HOST: $HOST."
+
+  # Assume no STARTTLS (unless special ports later on)
+  STARTTLS=""
+
+  if [ "$PORT" = "" ] ; then
+    # Assume 443 if not port specified
+    PORT=443
+  elif [ "$PORT" -eq 25 ] ; then
+    # Assume SMTP STARTTLS if port 25
+    STARTTLS="-starttls smtp"
+  elif [ "$PORT" -eq 143 ] ; then
+    # Assume IMAP STARTTLS if port 143
+    STARTTLS="-starttls imap"
+  fi
+
+#  echo "DEBUG: PORT: $PORT."
+#  echo "DEBUG: STARTTLS: $STARTTLS."
+
+  # Try various TLS versions against this host:port to try and get a response
+  RETCODE=1
+  for PROTOCOL in -tls1_2 -tls1_1 -tls1 ; do
+    if [ "$RETCODE" -eq 0 ] ; then
+      break
+    fi
+    set +e
+    # Get the "Not After" field for the certificate expiry
+    EXPIRYSTRING=$(echo "Q" | openssl s_client $STARTTLS -connect "$HOST:$PORT" -servername "$HOST" "$PROTOCOL" 2> /dev/null | openssl x509 -noout -text 2> /dev/null | grep "Not After" | sed -r 's/\s*Not After : //')
+    RETCODE="$?"
+    set -e
+  done
+
+#  echo "DEBUG: EXPIRYSTRING: $EXPIRYSTRING."
+
+  # Convert expiry into unixtime
+  EXPIRY=$(date -d "$EXPIRYSTRING" +%s)
+#  echo "DEBUG: EXPIRY: $EXPIRY."
+  NOW=$(date +%s)
+#  echo "DEBUG: NOW: $NOW."
+
+  # Number of seconds left
+  DIFFERENCE=$(expr "$EXPIRY" - "$NOW")
+#  echo "DEBUG: DIFFERENCE: $DIFFERENCE."
+
+  # Warn if less than WARNSECONDS less
+  if [ "$DIFFERENCE" -lt "$WARNSECONDS" ] ; then
+    echo "Warning!  The certificate at $HOST:$PORT expires in $DIFFERENCE seconds (~$(expr $DIFFERENCE / 60 / 60 / 24) days)."
+#  else
+#    echo "DEBUG: The certificate at $HOST:$PORT expires in $DIFFERENCE seconds (~$(expr $DIFFERENCE / 60 / 60 / 24) days)."
+  fi
+
+done
-- 
cgit v1.2.3