Hi, You have sent this message as a reply to another message but I don't see how your question ist related to the other one?
> I am using Pound as a reverse proxy to get SSL on my Artica server, so I > don't need to mess with its configuration. > Artica is a management shell like Plesk and directadmin. > In my case it's managing a Zarafa server. > > I'm using multiple certificates and this works fine with Chrome, Internet > Explorer and Firefox. > > In the past I already wrote a script to test the expiration date of an > SSL-server, so I can use it with Zabbix (monitoring server like Nagios). > You feed it with the host and port and it will check its certificate using > openssl and extract the amount of days this certificate is valid. > > When using it with port 21, 25, 110, 143 or 587 it will use TLS. > OpenSSL has support to start a TLS-session for FTP, SMTP, IMAP and POP3 > It apparently doesn't have this support for HTTP. I think the key is TLS vs. STARTTLS. STARTTLS is used where a non secured connection is then changed to TLS after the connection has been made. I have never seen this with HTTP where another port is used to SSL/TLS only connections. So the openssl -starttls option is used to run STARTTLS, not TLS. > > Is there some way to write this myself? > > If I now check the certificate of my site with my own script, it will only > show the first certificate I'm using. > Does anyone have tips how to modify my script so that it works with > webservers with multiple certificates???? I'm using the script from here with a small zabbix specific patch to check certs with zabbix http://prefetch.net/code/ssl-cert-check Regards, Simon > > > Well, here's the script: > > > > # cat /usr/local/sbin/certinfo > #!/bin/bash > export PATH=${PATH}:/usr/local/sbin:/sbin:/usr/sbin:/bin:/usr/bin > > TIMEOUT=10 > RETVAL=3 > > # location on Debian based Linux, run "update-ca-certificates" if you > don't have them > CAfile=/etc/ssl/certs/ca-certificates.crt > # Try Redhat based > [ -e "${CAfile}" ] || CAfile=/etc/pki/tls/certs/ca-bundle.crt > if [ ! -e "${CAfile}" ] ; then >  echo "No Certificate Authority Bundle found" >&2 >  exit 1 > fi > > # If called by zabbix, handle some things different > if echo "${BASH_SOURCE}" | grep -q "zabbix" ; then >  # get rid of 1st parameter (on Zabbix 1.8x) >  # shift 1 > >  # Change TimeOut value to the one in /etc/zabbix/zabbix_server.conf >  ZABBIX_TIMEOUT=`grep -i '^Timeout' /etc/zabbix/zabbix_server.conf > 2>/dev/null | awk -F= '{print $2}' | tr -cd '0-9'` >  if [ -z "${ZABBIX_TIMEOUT}" ] ; then >   TIMEOUT=3 >  else >   # Let's take 1 second less than the one in > /etc/zabbix/zabbix_server.conf and just hope to be in time >   TIMEOUT=$(( ${ZABBIX_TIMEOUT} - 1 )) >  fi > fi > > # Zabbix 2.0 sends parameters quoted, where < 1.9 sends them unquoted > # This way it works on both > HOST=`echo "$*" | awk '{print $1}' | tr 'A-Z' 'a-z'` > PORT=`echo "$*" | awk '{print $2}' | tr -cd '0-9'` > > SCRATCH=`mktemp` > TMP1=`mktemp` > TMP2=`mktemp` > > esc="\033[" > RED="31;40;1m" > GREEN="32;40;1m" > > [ -z "${HOST}" ] && exit 1 > [ -z "${PORT}" ] && PORT=443 > HOSTWITHIP=${HOST} > IP=${HOST} > if echo "${HOST}" | grep -q '[a-z]' ; then >  IP=`host -t A ${HOST} | egrep -o 'has address [0-9.]+' | head -n1 | awk > '{print $3}'` >  HOSTWITHIP="${HOST} (${IP})" >  if [ -z "${IP}" ] ; then >   echo -e "${esc}${RED}Error resolving ${HOST}${esc}0m" >&2 >   exit 1 >  fi > fi > > # openssl is able to check plain smtp/pop3/ftp/imap connections > # that use TLS to setup a secure connection > TLS= > echo "${PORT}" | egrep -q '^(25|587)$'  && TLS="-crlf -starttls smtp" > echo "${PORT}" | egrep -q '^110$'    && TLS="-starttls pop3" > echo "${PORT}" | egrep -q '^21$'     && TLS="-starttls ftp" > echo "${PORT}" | egrep -q '^143$'    && TLS="-starttls imap" > > # Retrieve Certificate in background because it doesn't support TimeOuts > # exec 2>/dev/null doesn't seem to be necessary if called this way.... > echo "" | openssl s_client -verify 3 -CAfile ${CAfile} -connect > ${IP}:${PORT} ${TLS} 2>/dev/null >${SCRATCH} & > sleep .1 > > # double the TIMEOUT and wait for half a second each time > let TIMEOUT*=2 > > # Wait for certificate > n=1 > while [ ! -s ${SCRATCH} ] ; do >  sleep .48 >  [ $n -ge ${TIMEOUT} ] && break >  let n++ > done > > # If we have retrieved the certificate, we'll process it and retrieve the > domain names > if [ -s ${SCRATCH} ] ; then >  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' ${SCRATCH} | > openssl x509 -text -noout 2>/dev/null >${TMP1} > >  #cat ${TMP1} >  REMARK= >  [ -z "${TLS}" ] || REMARK="(using TLS)" >  echo -e "\nCertificate info for host > ${esc}${GREEN}${HOSTWITHIP}${esc}0m on port ${PORT} > ${esc}${GREEN}${REMARK}${esc}0m\n" >  CN=`grep -i "Subject:" ${TMP1} | egrep -o 'CN=[A-Za-z0-9=:/. @_-]+' | > awk -F= '{print $2}'` >  echo "    CN: ${CN}" >  echo -e '\n  Subject:' >  grep -i "Subject:" ${TMP1}  | egrep -o '[A-Z]+=[A-Za-z0-9=:/. @_-]+' | > sed 's/.*/      &/' > >  grep -i 'Verify return code' ${SCRATCH} | grep -qi '(ok)' || echo -e " >      ${esc}${RED}Not certified by an Authority!!${esc}0m" > >  echo '  Issuer:' >  # grep -i "Issuer:" ${TMP1} >  grep -i "Issuer:" ${TMP1}  | egrep -o '[A-Z]+=[A-Za-z0-9=:/. @_-]+' | > sed 's/.*/      &/' > >  echo -e "\n Validity:" >  FROM_DATE=`grep -io 'Not Before.*' ${TMP1} | head -n1 | awk -F: '{print > $2":"$3":"$4}'` >  [ ! -z "${FROM_DATE}" ] && [ `date -d "${FROM_DATE}" +%s` -ge `date > +%s` ] && echo -en "${esc}${RED}" >  echo -e "      Valid since: ${FROM_DATE}${esc}0m" >  EXPIRE_DATE=`grep -io 'Not After.*' ${TMP1} | head -n1 | awk -F: > '{print $2":"$3":"$4}'` >  if [ ! -z "${EXPIRE_DATE}" ] ; then >   [ `date -d "${EXPIRE_DATE}" +%s` -lt `date -d "next month" +%s` ] && > echo -en "${esc}${GREEN}" >   [ `date -d "${EXPIRE_DATE}" +%s` -lt `date +%s` ]       >   && echo -en "${esc}${RED}" >  fi > >  echo -e "       Expires on: ${EXPIRE_DATE}${esc}0m" > >  # Create a greplist with DNS names converted to regular expressions >  egrep -o 'DNS:[*A-Za-z0-9.-]+' ${TMP1} | awk -F: '{print $2}' | sed > 's/\./\\./g;s/*/.*/g;s/.*/^&$/g' >${TMP2} > >  echo -e "\nDNS names: " >  if [ -s ${TMP2} ] ; then >   echo "${HOST}" | grep -qif ${TMP2} || echo -e "      > ${esc}${RED}Name Mismatch!!${esc}0m no DNS name matches > ${esc}${GREEN}${HOST}${esc}0m" >   egrep -o 'DNS:[*a-zA-Z0-9.-]+' ${TMP1} | awk -F: '{print $2}' | sed > 's/.*/      &/' >  else >   # There are NO DNS names, put CN in the greplist >   echo -en "${CN}" | tr 'A-Z' 'a-z' | sed > 's/\./\\./g;s/*/.*/g;s/.*/^&$/g' >${TMP2} >   echo -e "      ${esc}${RED}No DNS names in > certificate${esc}0m\n" >   if echo "${HOST}" | grep -qif ${TMP2} ; then >    echo -e "      ${esc}${GREEN}${HOST} matches > CN${esc}0m" >   else >    echo -e "      ${esc}${GREEN}${HOST} ${esc}${RED}does > NOT match CN ${CN}${esc}0m" >   fi >  fi >  echo -e '\n' > else >  # Too late you lazy bastard, I might as well kill you... >  kill -9 %1 2>/dev/null > fi > > rm -f ${SCRATCH} 2>/dev/null > rm -f ${TMP1} 2>/dev/null > rm -f ${TMP2} 2>/dev/null > > > > > > > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
