Backport some fixes.

2022-01-19 18:52:58 +01:00 · 2022-01-19 18:52:58 +01:00 · 498405318d
parent 2b61560c77
commit 498405318d
5 changed files with 118 additions and 17 deletions
--- a/templates/check-x509-certs-expiration-date.sh.j2
+++ b/templates/check-x509-certs-expiration-date.sh.j2
@ -0,0 +1,36 @@
+#!/bin/bash
+
+#set -e
+
+PUB_CERTS_DIR="/srv/CA/pki/issued"
+
+# 1 day in seconds 86400
+# 7 days in seconds: 604800
+# 30 days in seconds: 2592000
+DAYS="2592000"
+RETVAL=
+
+# Email settings
+_sub=" will expire within $DAYS seconds (30 days):"
+_from="isti-ca-noreply@isti.cnr.it"
+_to="s2i2s@isti.cnr.it"
+_openssl="/usr/bin/openssl"
+
+for cert in "$PUB_CERTS_DIR/"*.crt ; do
+    #echo -n "$cert: "
+    #$_openssl x509 -enddate -noout -in "$cert"  -checkend "$DAYS" | grep -q 'notAfter'
+    expiry_date=$( $_openssl x509 -enddate -noout -in "$cert" -checkend "$DAYS" )
+    RETVAL=$?
+    #echo "RETVAL: $RETVAL"
+
+    # Send email
+    if [ $RETVAL -ne 0 ] ; then
+        echo "$cert ${_sub} $expiry_date"
+#            mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
+#            # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
+#            source ~/bin/cli_app.sh
+#            push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
+    fi
+done
+
+exit 0
--- a/templates/client-host-certificate.sh.j2
+++ b/templates/client-host-certificate.sh.j2
@ -1,5 +1,7 @@
 #!/bin/bash

+_retval=
+
 host_arg=
 if [ $# -ne 1 ] ; then
    echo "You need to pass just one argument: the full hostname for wich the certificate is required"
@ -11,24 +13,43 @@ fi
 easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
 easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
 easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
 easy_vars_file="${easy_rsa_base_dir}/vars"
 if [ -f "${easy_vars_file}.tmpl" ] ; then
    echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
    exit 1
 fi

+if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
+    echo ""
+    echo "A certificate already exists"
+    echo "If you want to renew it, then remove the following files and run che command again:"
+    echo "${easy_rsa_issued_dir}/${host_arg}.crt"
+    echo "${easy_rsa_keys_dir}/${host_arg}.key"
+    echo "${easy_rsa_reqs_dir}/${host_arg}.req"
+    echo ""
+    exit 1
+fi
+
 echo ""
 echo "Starting the creation of a client host certificate."
 echo ""

 cd "$easy_rsa_base_dir"
 ./easyrsa build-client-full "$host_arg" nopass
+retval=$?

-echo ""
-echo "Done."
-echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
-echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
-echo ""
-echo "Remember that the key of the host certificates do not passphrase protected"
+if [ $retval -eq 0 ] ; then
+    echo ""
+    echo "Done."
+    echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
+    echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
+    echo ""
+    echo "Remember that the key of the host certificates do not passphrase protected"
+else
+    echo ""
+    echo "Something went wrong, the certificate creation failed"
+    echo ""
+fi

 exit 0
--- a/templates/personal-certificate.sh.j2
+++ b/templates/personal-certificate.sh.j2
@ -1,5 +1,7 @@
 #!/bin/bash

+_retval=
+
 name_arg=
 email_arg=
 if [ $# -ne 2 ] ; then
@ -13,12 +15,24 @@ fi
 easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
 easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
 easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
 easy_vars_file="${easy_rsa_base_dir}/vars"
 if [ -f "${easy_vars_file}.tmpl" ] ; then
    echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
    exit 1
 fi

+if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then
+    echo ""
+    echo "A certificate already exists"
+    echo "If you want to renew it, then remove the following files and run che command again:"
+    echo "${easy_rsa_issued_dir}/${name_arg}.crt"
+    echo "${easy_rsa_keys_dir}/${name_arg}.key"
+    echo "${easy_rsa_reqs_dir}/${name_arg}.req"
+    echo ""
+    exit 1
+fi
+
 echo ""
 echo "Starting the creation of a client host certificate."
 echo "Remember that you need to supply a passphrase for the private key."
@ -32,10 +46,18 @@ sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file"
 ./easyrsa build-client-full "$name_arg"
 mv -f "${easy_vars_file}.tmpl" "$easy_vars_file"

-echo ""
-echo "Done."
-echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
-echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
-echo ""
+retval=$?
+
+if [ $retval -eq 0 ] ; then
+    echo ""
+    echo "Done."
+    echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt"
+    echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key"
+    echo ""
+else
+    echo ""
+    echo "Something went wrong, the certificate creation failed"
+    echo ""
+fi

 exit 0
--- a/templates/server-host-certificate.sh.j2
+++ b/templates/server-host-certificate.sh.j2
@ -1,5 +1,7 @@
 #!/bin/bash

+_retval=
+
 host_arg=
 if [ $# -ne 1 ] ; then
    echo "You need to pass just one argument: the full hostname for wich the certificate is required"
@ -11,24 +13,43 @@ fi
 easy_rsa_base_dir={{ easy_rsa_pki_basedir }}
 easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued"
 easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private"
+easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs"
 easy_vars_file="${easy_rsa_base_dir}/vars"
 if [ -f "${easy_vars_file}.tmpl" ] ; then
    echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding."
    exit 1
 fi

+if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then
+    echo ""
+    echo "A certificate already exists"
+    echo "If you want to renew it, then remove the following files and run che command again:"
+    echo "${easy_rsa_issued_dir}/${host_arg}.crt"
+    echo "${easy_rsa_keys_dir}/${host_arg}.key"
+    echo "${easy_rsa_reqs_dir}/${host_arg}.req"
+    echo ""
+    exit 1
+fi
+
 echo ""
 echo "Starting the creation of a server host certificate."
 echo ""

 cd "$easy_rsa_base_dir"
 ./easyrsa build-server-full "$host_arg" nopass
+retval=$?

-echo ""
-echo "Done."
-echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
-echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
-echo ""
-echo "Remember that the key of the host certificates do not passphrase protected"
+if [ $retval -eq 0 ] ; then
+    echo ""
+    echo "Done."
+    echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt"
+    echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key"
+    echo ""
+    echo "Remember that the key of the host certificates do not passphrase protected"
+else
+    echo ""
+    echo "Something went wrong, the certificate creation failed"
+    echo ""
+fi

 exit 0
--- a/vars/main.yml
+++ b/vars/main.yml
@ -21,4 +21,5 @@ easy_rsa_helper_scripts:
  - 'renew-client-host-certificate'
  - 'renew-server-host-certificate'
  - 'renew-personal-certificate'
+  - 'check-x509-certs-expiration-date'