Re: Monitor for SSL Certificate expiration date
On Mon, Jul 16, 2007 at 01:59:10PM -0400, Ed Ravin wrote: >> > It seems like this can be done with the openssl command line, but I >> > can only get certificate date information _after_ the certificate >> > expires. If anyone knows how to extract an SSL certificate's >No need to parse out the certificate with sed - as implied in my previous >message, openssl seems to be able to ignore the non-certificate portions >of the file: >openssl s_client -connect www.example.com:443 2>/dev/null openssl x509 -noout -enddate >But if I was scripting this, I would call the two openssl commands >separately and save the output to a file, so that I could detect failures >more reliably... Here's a little something I use. It does three things: 1) Checks local certs (if you want to run it on the server that holds the certs). You can override the directory it looks in for certs with --certdir=/path/to/certs. And you can have it ignore certain patterns when getting the list of certs by editing the @excludeCertDomains variable (line 26). 2) Checks remote certs on Apache webservers. You can specific domains to check by editing the @manualDomains variable (line 24). 3) For both #1 and #2 it does a whois check for each domain, (a valid cert does no good if the domain registration has expired). Options: --certdir=/PATHDefault is /etc/ssl/certs --certsonlyOnly test local certs --debugLots of ugly debug info --expirelimit=INTEGER Number of days before expiration to warn about --remoteonly Only test certs on webservers --showexcludes Show local certs being excluded --verbose Verbose output Yes, yes. I know the code is ugly. It was written a long time ago back when I was first learning perl. I would do it a lot differently now, but it works and we don't fix it if it's not broken. :-) -- Regards... Todd OS X: We've been fighting the "It's a mac" syndrome with upper management for years now. Lately we've taken to just referring to new mac installations as "Unix" installations when presenting proposals and updates. For some reason, they have no problem with that. -- /. Linux kernel 2.6.17-6mdv 2 users, load average: 0.36, 0.37, 0.36 #!/usr/bin/perl -w use strict; use Net::Whois::Raw; use Getopt::Long; use Date::Calc qw( Parse_Date Decode_Date_US2 Decode_Date_EU2 Delta_Days ); # Once a week, run 'checkSSLCertStatus.pl --verbose' in a cron job and # pipe it to 'mail -s "Weekely Cert Status Check" [EMAIL PROTECTED]' $|++; my %opts; GetOptions( \%opts, 'certdir:s', 'certsonly', 'debug', 'expirelimit:i', 'remoteonly', 'showexcludes', 'verbose', ); my @manualDomains = ( 'secure.domain1.com', 'login.domain2.com', ); my @excludeCertDomains = ( 'domain1.com', 'domain2.com', 'domain3.com', ); my $expireLimit = $opts{expirelimit} || 30; # days my $checkEnd = $expireLimit * 24 * 60 * 60; # seconds my $results; my $today = localtime(); my $now = localtime(); my ($nowyear,$nowmonth,$nowday); if ( ($nowyear,$nowmonth,$nowday) = Parse_Date($now) ) { if ( $opts{debug} ) { print "NOW: Year $nowyear, Month $nowmonth, Day $nowday\n"; } } if ( !$opts{remoteonly} ) { my $certDir = $opts{certdir} || "/etc/ssl/certs"; my @certs = `cd $certDir; ls *.cert`; # Manually exclude these local certs from being checked. Our certs are named # domain1.com.conf, domain2.com.conf, etc, we exclude these specific ones. my @excludes = @excludeCertDomains; # This checks local certs. CERT: foreach my $cert ( @certs ) { chomp $cert; if ( $cert =~ /.*\.\d+\.cert$/ ) { if ( $opts{debug} ) { print "Skipping $cert\n\n"; } next CERT; } foreach my $exclude ( @excludes ) { if ( $cert =~ /^\Q$exclude\E/ ) { if ( $opts{debug} || $opts{showexcludes} ) { print "Excluded $cert\n"; } next CERT; } } if ( $opts{debug} ) { print "Processing $cert\n"; } my @certCheck = `openssl x509 -in $certDir/$cert -dates -subject -checkend $checkEnd`; chomp @certCheck; $results->{$cert}->{start} = $certCheck[0]; $results->{$cert}->{start} =~ s/notBefore=//; $results->{$cert}->{start} =~ s/\s\s+/ /g; $results->{$cert}->{expire} = $certCheck[1]; $results->{$cert}->{expire} =~ s/notAfter=//; $results->{$cert}->{expire} =~ s/\s\s+/ /g; $results->{$cert}->{domain} = $certCheck[2]; $results->{$cert}->{domain} =~ s#.+/CN=(.+)$#$1#; $results->{$cert}->{result} = $certCheck[3]; if ( $opts{debug} ) { print $results->{$cert}->{start} . " to " . $results->{$cert}->{expire} . "\n"; print $results->{$cert}->{domain} . ": " . $results->{$cert}->{result} . "\n\n"; } } foreach my $cert ( keys %{$results} ) { if ( $results->{$cert}->{result} =~ /^Certificate will expire$/ ) {
Re: Monitor for SSL Certificate expiration date
On 2007-07-16T13:59:10-0400, Ed Ravin wrote: > But if I was scripting this, I would call the two openssl commands > separately and save the output to a file, so that I could detect failures > more reliably... I probably will if no one else does or have one available. The monitor should also allow you to validate a certificate given a file system path. /Allan ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Monitor for SSL Certificate expiration date
On Mon, Jul 16, 2007 at 07:14:38PM +0200, Jan-Frode Myklebust wrote: > On 2007-07-16, Owen Crow <[EMAIL PROTECTED]> wrote: > > > > It seems like this can be done with the openssl command line, but I > > can only get certificate date information _after_ the certificate > > expires. If anyone knows how to extract an SSL certificate's > > expiration date remotely, I'd be happy to convert that into a monitor > > script. > > > > Thanks for the offer, I could use something like that :-) > > $ echo "" | openssl s_client -connect mail.altibox.no:443 2>/dev/null | sed > -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -text|grep > "Not After :" No need to parse out the certificate with sed - as implied in my previous message, openssl seems to be able to ignore the non-certificate portions of the file: openssl s_client -connect www.example.com:443 2>/dev/null http://linux.kernel.org/mailman/listinfo/mon
Re: Monitor for SSL Certificate expiration date
Argh, sent this from the wrong address, so its sitting in the admin queue for the mailing list... -David On 7/16/07, David Nolan <[EMAIL PROTECTED]> wrote: Here's a copy of https.monitor with certificate expiration support added. I thought I had commited this to the mon-contrib CVS area, but its not there... I'll fix that. -David On 7/16/07, Owen Crow <[EMAIL PROTECTED]> wrote: > I've seen some tests mentioned in this list, but they point to broken links. > > It seems like this can be done with the openssl command line, but I > can only get certificate date information _after_ the certificate > expires. If anyone knows how to extract an SSL certificate's > expiration date remotely, I'd be happy to convert that into a monitor > script. > > I'm primarily interested in HTTPS, but it seems like this would be > generic for any SSL/TLS-protected service. > > Thanks, > Owen > > ___ > mon mailing list > mon@linux.kernel.org > http://linux.kernel.org/mailman/listinfo/mon > > https.monitor Description: Binary data ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Monitor for SSL Certificate expiration date
On Mon, Jul 16, 2007 at 10:41:15AM -0500, Owen Crow wrote: > I've seen some tests mentioned in this list, but they point to broken links. > > It seems like this can be done with the openssl command line, but I > can only get certificate date information _after_ the certificate > expires. If anyone knows how to extract an SSL certificate's > expiration date remotely, I'd be happy to convert that into a monitor > script. Yes, I've wanted to do this for a long time. You just inspired me to read the man pages and it looks pretty straightforward to use the openssl command line: # download the certificate: openssl s_client -connect server.example.com:443 < /dev/null > testme.pem # print out the expiration date: openssl x509 -noout -in testme.pem -enddate The output showing the expiration date looks like this: notAfter=Nov 3 18:58:34 1999 GMT Which should be easy to feed to Date::Parse::str2time() to turn into a ctime. > I'm primarily interested in HTTPS, but it seems like this would be > generic for any SSL/TLS-protected service. The openssl command line man page says it also supports SMTP and POP protocol for downloading certificates: openssl s_client -connect mail.example.com:25 -starttls smtp < /dev/null > testme.pem Or "-starttls pop3" for a POP server. No IMAP support, unfortunately. Here's a possible starting point: sslcert.monitor [--protocol {https|smtp|pop3}] [--port NNN] [--expirewarn NN] host [...] Where the port number defaults to 443, and expirewarn defaults to 30 days (i.e. alarm if the server's certificate expiration date is within 30 days). Later on we could add bells and whistles to check the verification chain, warn on self-signed certs, If you start the script I'll help you finish it. I suggest writing it in Perl since I know it'll have no problem parsing the expiration date output. ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Re: Monitor for SSL Certificate expiration date
On 2007-07-16, Owen Crow <[EMAIL PROTECTED]> wrote: > > It seems like this can be done with the openssl command line, but I > can only get certificate date information _after_ the certificate > expires. If anyone knows how to extract an SSL certificate's > expiration date remotely, I'd be happy to convert that into a monitor > script. > Thanks for the offer, I could use something like that :-) $ echo "" | openssl s_client -connect mail.altibox.no:443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |openssl x509 -text|grep "Not After :" -jf ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon
Monitor for SSL Certificate expiration date
I've seen some tests mentioned in this list, but they point to broken links. It seems like this can be done with the openssl command line, but I can only get certificate date information _after_ the certificate expires. If anyone knows how to extract an SSL certificate's expiration date remotely, I'd be happy to convert that into a monitor script. I'm primarily interested in HTTPS, but it seems like this would be generic for any SSL/TLS-protected service. Thanks, Owen ___ mon mailing list mon@linux.kernel.org http://linux.kernel.org/mailman/listinfo/mon