Re: Monitor for SSL Certificate expiration date

2007-07-16 Thread Todd Lyons
On Mon, Jul 16, 2007 at 01:59:10PM -0400, Ed Ravin wrote:

>> > It seems like this can be done with the openssl command line, but I
>> > can only get certificate date information _after_ the certificate
>> > expires.  If anyone knows how to extract an SSL certificate's
>No need to parse out the certificate with sed - as implied in my previous
>message, openssl seems to be able to ignore the non-certificate portions
>of the file:
>openssl s_client -connect www.example.com:443 2>/dev/null  openssl x509 -noout -enddate
>But if I was scripting this, I would call the two openssl commands
>separately and save the output to a file, so that I could detect failures
>more reliably...

Here's a little something I use.  It does three things:
1) Checks local certs (if you want to run it on the server that holds
the certs).  You can override the directory it looks in for certs with
--certdir=/path/to/certs.  And you can have it ignore certain patterns
when getting the list of certs by editing the @excludeCertDomains
variable (line 26).
2) Checks remote certs on Apache webservers.  You can specific domains
to check by editing the @manualDomains variable (line 24).
3) For both #1 and #2 it does a whois check for each domain, (a valid
cert does no good if the domain registration has expired).

Options:
--certdir=/PATHDefault is /etc/ssl/certs
--certsonlyOnly test local certs
--debugLots of ugly debug info
--expirelimit=INTEGER  Number of days before expiration to warn about
--remoteonly   Only test certs on webservers
--showexcludes Show local certs being excluded
--verbose  Verbose output

Yes, yes.  I know the code is ugly.  It was written a long time ago back
when I was first learning perl.  I would do it a lot differently now,
but it works and we don't fix it if it's not broken.  :-)
-- 
Regards...  Todd
OS X: We've been fighting the "It's a mac" syndrome with upper management
for  years  now.  Lately  we've  taken  to  just  referring  to  new  mac 
installations  as  "Unix"  installations  when  presenting proposals  and 
updates.  For some reason, they have no problem with that.  -- /.
Linux kernel 2.6.17-6mdv   2 users,  load average: 0.36, 0.37, 0.36
#!/usr/bin/perl -w

use strict;
use Net::Whois::Raw;
use Getopt::Long;
use Date::Calc qw( Parse_Date Decode_Date_US2 Decode_Date_EU2 Delta_Days );

# Once a week, run 'checkSSLCertStatus.pl --verbose' in a cron job and
# pipe it to 'mail -s "Weekely Cert Status Check" [EMAIL PROTECTED]'

$|++;
my %opts;

GetOptions( \%opts,
'certdir:s',
'certsonly',
'debug',
'expirelimit:i',
'remoteonly',
'showexcludes',
'verbose',
);

my @manualDomains = ( 'secure.domain1.com', 'login.domain2.com',
);
my @excludeCertDomains = ( 'domain1.com',
'domain2.com', 'domain3.com',
);
my $expireLimit = $opts{expirelimit} || 30;  # days
my $checkEnd = $expireLimit * 24 * 60 * 60;  # seconds
my $results;
my $today = localtime();
my $now = localtime();
my ($nowyear,$nowmonth,$nowday);
if ( ($nowyear,$nowmonth,$nowday) = Parse_Date($now) ) {
  if ( $opts{debug} ) {
print "NOW: Year $nowyear, Month $nowmonth, Day $nowday\n";
  }
}


if ( !$opts{remoteonly} ) {
  my $certDir = $opts{certdir} || "/etc/ssl/certs";
  my @certs = `cd $certDir; ls *.cert`;
  # Manually exclude these local certs from being checked.  Our certs are named
  # domain1.com.conf, domain2.com.conf, etc, we exclude these specific ones.
  my @excludes = @excludeCertDomains;
  
  # This checks local certs.
  CERT: foreach my $cert ( @certs ) {
chomp $cert;
if ( $cert =~ /.*\.\d+\.cert$/ ) {
  if ( $opts{debug} ) {
print "Skipping $cert\n\n";
  }
  next CERT;
}
foreach my $exclude ( @excludes ) {
  if ( $cert =~ /^\Q$exclude\E/ ) {
if ( $opts{debug} || $opts{showexcludes} ) {
  print "Excluded $cert\n";
}
  next CERT;
  }
}
if ( $opts{debug} ) {
  print "Processing $cert\n";
}
my @certCheck = `openssl x509 -in $certDir/$cert -dates -subject -checkend 
$checkEnd`;
chomp @certCheck;
$results->{$cert}->{start}  = $certCheck[0];
$results->{$cert}->{start}  =~ s/notBefore=//;
$results->{$cert}->{start}  =~ s/\s\s+/ /g;
$results->{$cert}->{expire} = $certCheck[1];
$results->{$cert}->{expire} =~ s/notAfter=//;
$results->{$cert}->{expire} =~ s/\s\s+/ /g;
$results->{$cert}->{domain} = $certCheck[2];
$results->{$cert}->{domain} =~ s#.+/CN=(.+)$#$1#;
$results->{$cert}->{result} = $certCheck[3];
  
if ( $opts{debug} ) {
  print $results->{$cert}->{start} . " to " . 
$results->{$cert}->{expire} . "\n";
  print $results->{$cert}->{domain} . ": " .
$results->{$cert}->{result} . "\n\n";
}
  }
  
  foreach my $cert ( keys %{$results} ) {
if ( $results->{$cert}->{result} =~ /^Certificate will expire$/ ) {

Re: Monitor for SSL Certificate expiration date

2007-07-16 Thread Allan Wind
On 2007-07-16T13:59:10-0400, Ed Ravin wrote:
> But if I was scripting this, I would call the two openssl commands
> separately and save the output to a file, so that I could detect failures
> more reliably...

I probably will if no one else does or have one available.  The monitor 
should also allow you to validate a certificate given a file system 
path.


/Allan

___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon


Re: Monitor for SSL Certificate expiration date

2007-07-16 Thread Ed Ravin
On Mon, Jul 16, 2007 at 07:14:38PM +0200, Jan-Frode Myklebust wrote:
> On 2007-07-16, Owen Crow <[EMAIL PROTECTED]> wrote:
> >
> > It seems like this can be done with the openssl command line, but I
> > can only get certificate date information _after_ the certificate
> > expires.  If anyone knows how to extract an SSL certificate's
> > expiration date remotely, I'd be happy to convert that into a monitor
> > script.
> >
> 
> Thanks for the offer, I could use something like that :-)
> 
> $ echo "" | openssl s_client -connect mail.altibox.no:443 2>/dev/null | sed 
> -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -text|grep 
> "Not After :"

No need to parse out the certificate with sed - as implied in my previous
message, openssl seems to be able to ignore the non-certificate portions
of the file:

openssl s_client -connect www.example.com:443 2>/dev/null http://linux.kernel.org/mailman/listinfo/mon


Re: Monitor for SSL Certificate expiration date

2007-07-16 Thread David Nolan

Argh, sent this from the wrong address, so its sitting in the admin
queue for the mailing list...

-David

On 7/16/07, David Nolan <[EMAIL PROTECTED]> wrote:

Here's a copy of https.monitor with certificate expiration support
added.  I thought I had commited this to the mon-contrib CVS area, but
its not there... I'll fix that.

-David

On 7/16/07, Owen Crow <[EMAIL PROTECTED]> wrote:
> I've seen some tests mentioned in this list, but they point to broken links.
>
> It seems like this can be done with the openssl command line, but I
> can only get certificate date information _after_ the certificate
> expires.  If anyone knows how to extract an SSL certificate's
> expiration date remotely, I'd be happy to convert that into a monitor
> script.
>
> I'm primarily interested in HTTPS, but it seems like this would be
> generic for any SSL/TLS-protected service.
>
> Thanks,
> Owen
>
> ___
> mon mailing list
> mon@linux.kernel.org
> http://linux.kernel.org/mailman/listinfo/mon
>
>




https.monitor
Description: Binary data
___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon


Re: Monitor for SSL Certificate expiration date

2007-07-16 Thread Ed Ravin
On Mon, Jul 16, 2007 at 10:41:15AM -0500, Owen Crow wrote:
> I've seen some tests mentioned in this list, but they point to broken links.
> 
> It seems like this can be done with the openssl command line, but I
> can only get certificate date information _after_ the certificate
> expires.  If anyone knows how to extract an SSL certificate's
> expiration date remotely, I'd be happy to convert that into a monitor
> script.

Yes, I've wanted to do this for a long time.  You just inspired me to
read the man pages and it looks pretty straightforward to use the
openssl command line:

   # download the certificate:
   openssl s_client -connect server.example.com:443 < /dev/null  > testme.pem

   # print out the expiration date:
   openssl x509 -noout -in testme.pem  -enddate

The output showing the expiration date looks like this:

   notAfter=Nov  3 18:58:34 1999 GMT

Which should be easy to feed to Date::Parse::str2time() to turn into a ctime.

> I'm primarily interested in HTTPS, but it seems like this would be
> generic for any SSL/TLS-protected service.

The openssl command line man page says it also supports SMTP and POP
protocol for downloading certificates:

  openssl s_client -connect mail.example.com:25 -starttls smtp < /dev/null > 
testme.pem

Or "-starttls pop3" for a POP server.  No IMAP support, unfortunately.

Here's a possible starting point:

   sslcert.monitor [--protocol {https|smtp|pop3}] [--port NNN]
   [--expirewarn NN] host [...]

Where the port number defaults to 443, and expirewarn defaults to 30 days
(i.e. alarm if the server's certificate expiration date is within 30 days).

Later on we could add bells and whistles to check the verification chain,
warn on self-signed certs, 

If you start the script I'll help you finish it.  I suggest writing it
in Perl since I know it'll have no problem parsing the expiration date
output.

___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon


Re: Monitor for SSL Certificate expiration date

2007-07-16 Thread Jan-Frode Myklebust
On 2007-07-16, Owen Crow <[EMAIL PROTECTED]> wrote:
>
> It seems like this can be done with the openssl command line, but I
> can only get certificate date information _after_ the certificate
> expires.  If anyone knows how to extract an SSL certificate's
> expiration date remotely, I'd be happy to convert that into a monitor
> script.
>

Thanks for the offer, I could use something like that :-)

$ echo "" | openssl s_client -connect mail.altibox.no:443 2>/dev/null | sed -ne 
'/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -text|grep "Not 
After :"


  -jf


___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon


Monitor for SSL Certificate expiration date

2007-07-16 Thread Owen Crow
I've seen some tests mentioned in this list, but they point to broken links.

It seems like this can be done with the openssl command line, but I
can only get certificate date information _after_ the certificate
expires.  If anyone knows how to extract an SSL certificate's
expiration date remotely, I'd be happy to convert that into a monitor
script.

I'm primarily interested in HTTPS, but it seems like this would be
generic for any SSL/TLS-protected service.

Thanks,
Owen

___
mon mailing list
mon@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/mon