There are service checks for things like nagios that will alert you on an upcoming expiration of ssl certs for many services. I believe it may also offer the ability to check a file.
> On Feb 28, 2016, at 6:06 PM, Keith Lofstrom <[email protected]> wrote: > > Check the expire dates on your openvpn encryption keys > and certifications! > > Friday morning, anticipating an important email that was > worth $600 to answer ... I instead I saw a string of > mail failure messages. I soon learned that my slowly > accumulating OpenVPN network, all based on the same > self-signed certification, was disconnected because that > certification was 3650 days old, and had timed out. > > I am still repairing most of the network, but I finally got > the vital email link running. Spam is flowing again! (1) > > The ancient network was 1024 bit keys and rather > disorganized. I used the disaster to renumber the "tun"s > and organize the network better. I set encryption key > length to 3076 bits - and the expire dates much further > out. I also reorganized the key creation system so I > can rebuild more quickly in case of a security breach. > > The sad fact is that OpenVPN will not warn you about > upcoming certificate expirations. 10 years is quite > long enough to forget how you did it, and when you > will need to rebuild it next. > > SO: look at your keys and certs, stored by default > in /usr/local/ssl, and see if they are due to expire. > Here's the appropriate lines from one of my old keys: > --------------------------- > ... > Validity > Not Before: Feb 28 05:23:33 2006 GMT > Not After : Feb 26 05:23:33 2016 GMT > ... > --------------------------- > 3650 days is the default chosen by "easy-vpn", and is > 10 years minus two or three leap days. > > I imagine many of you learned about openvpn the during the > same years I did. You may come to grief soon. The tools > and formats have changed, so it is better to learn and use > them /before/ everything goes to hell. I made it harder > for myself because of renumbering the network, but better > organization will make this task a lot easier when I have > to do this next time, after my 90th birthday ... :-) > > Keith > > (1)PS: While rebuilding postfix (very sensitive to DNS and > firewall setup), and looking at ancient mail logs for past > errors, I guestimated that I've probably filtered half a > billion spams in the last 10 years. Oh, if I could only > collect the $300 per-spam tort penalty that the law > allegedly offers. At Apollo program prices ($20B in 2015 > dollars), at least 90 of us could walk on the moon ... > > -- > Keith Lofstrom [email protected] > _______________________________________________ > PLUG mailing list > [email protected] > http://lists.pdxlinux.org/mailman/listinfo/plug -- Louis Kowolowski [email protected] Cryptomonkeys: http://www.cryptomonkeys.com/ Making life more interesting for people since 1977
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
