#!/bin/bash set -euo pipefail # ==== Variables ==== # Output warning if fewer than this number of seconds until expiry WARNSECONDS=1209600 # Two weeks # Bash array of host:port combinations to be checked HOSTSANDPORTS=(irc.tghost.co.uk:6697 irc.lc8n.com:6697 irc.pgburton.com:6697 www.tghost.co.uk mail.tghost.co.uk:25 \ mail.tghost.co.uk:143 mail.tghost.co.uk mumble.tghost.co.uk:64738 bladns.net www.lc8n.com \ www.blatech.net upload.bratch.co.uk www.nokiaplan3.com davmail.tghost.co.uk:1143 bcal.tghost.co.uk \ www.blaupload.co.uk up.org.je) # ==== Variables ==== # Loop through all host:port combinations for HOSTANDPORT in "${HOSTSANDPORTS[@]}" ; do # echo "DEBUG: HOSTANDPORT: $HOSTANDPORT." # Host before colon HOST=$(echo "$HOSTANDPORT" | cut -d ":" -f "1") # Port after colon, or nothing if no port given (assumes 443 later on) PORT=$(echo "$HOSTANDPORT" | cut -s -d ":" -f "2") # echo "DEBUG: HOST: $HOST." # Assume no STARTTLS (unless special ports later on) STARTTLS="" if [ "$PORT" = "" ] ; then # Assume 443 if not port specified PORT=443 elif [ "$PORT" -eq 25 ] ; then # Assume SMTP STARTTLS if port 25 STARTTLS="-starttls smtp" elif [ "$PORT" -eq 143 ] ; then # Assume IMAP STARTTLS if port 143 STARTTLS="-starttls imap" fi # echo "DEBUG: PORT: $PORT." # echo "DEBUG: STARTTLS: $STARTTLS." # Try various TLS versions against this host:port to try and get a response RETCODE=1 for PROTOCOL in -tls1_2 -tls1_1 -tls1 ; do if [ "$RETCODE" -eq 0 ] ; then break fi set +e # Get the "Not After" field for the certificate expiry EXPIRYSTRING=$(echo "Q" | openssl s_client $STARTTLS -connect "$HOST:$PORT" -servername "$HOST" "$PROTOCOL" 2> /dev/null | openssl x509 -noout -text 2> /dev/null | grep "Not After" | sed -r 's/\s*Not After : //') RETCODE="$?" set -e done # echo "DEBUG: EXPIRYSTRING: $EXPIRYSTRING." # Convert expiry into unixtime EXPIRY=$(date -d "$EXPIRYSTRING" +%s) # echo "DEBUG: EXPIRY: $EXPIRY." NOW=$(date +%s) # echo "DEBUG: NOW: $NOW." # Number of seconds left DIFFERENCE=$(expr "$EXPIRY" - "$NOW") # echo "DEBUG: DIFFERENCE: $DIFFERENCE." # Warn if less than WARNSECONDS less if [ "$DIFFERENCE" -lt "$WARNSECONDS" ] ; then echo "Warning! The certificate at $HOST:$PORT expires in $DIFFERENCE seconds (~$(expr $DIFFERENCE / 60 / 60 / 24) days)." # else # echo "DEBUG: The certificate at $HOST:$PORT expires in $DIFFERENCE seconds (~$(expr $DIFFERENCE / 60 / 60 / 24) days)." fi done