From 498405318db87581db42ab41a361f0dc717b33fb Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Wed, 19 Jan 2022 18:52:58 +0100 Subject: [PATCH] Backport some fixes. --- .../check-x509-certs-expiration-date.sh.j2 | 36 +++++++++++++++++++ templates/client-host-certificate.sh.j2 | 33 +++++++++++++---- templates/personal-certificate.sh.j2 | 32 ++++++++++++++--- templates/server-host-certificate.sh.j2 | 33 +++++++++++++---- vars/main.yml | 1 + 5 files changed, 118 insertions(+), 17 deletions(-) create mode 100644 templates/check-x509-certs-expiration-date.sh.j2 diff --git a/templates/check-x509-certs-expiration-date.sh.j2 b/templates/check-x509-certs-expiration-date.sh.j2 new file mode 100644 index 0000000..498924e --- /dev/null +++ b/templates/check-x509-certs-expiration-date.sh.j2 @@ -0,0 +1,36 @@ +#!/bin/bash + +#set -e + +PUB_CERTS_DIR="/srv/CA/pki/issued" + +# 1 day in seconds 86400 +# 7 days in seconds: 604800 +# 30 days in seconds: 2592000 +DAYS="2592000" +RETVAL= + +# Email settings +_sub=" will expire within $DAYS seconds (30 days):" +_from="isti-ca-noreply@isti.cnr.it" +_to="s2i2s@isti.cnr.it" +_openssl="/usr/bin/openssl" + +for cert in "$PUB_CERTS_DIR/"*.crt ; do + #echo -n "$cert: " + #$_openssl x509 -enddate -noout -in "$cert" -checkend "$DAYS" | grep -q 'notAfter' + expiry_date=$( $_openssl x509 -enddate -noout -in "$cert" -checkend "$DAYS" ) + RETVAL=$? + #echo "RETVAL: $RETVAL" + + # Send email + if [ $RETVAL -ne 0 ] ; then + echo "$cert ${_sub} $expiry_date" +# mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date" +# # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ # +# source ~/bin/cli_app.sh +# push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null + fi +done + +exit 0 diff --git a/templates/client-host-certificate.sh.j2 b/templates/client-host-certificate.sh.j2 index 9f5910d..b37b606 100644 --- a/templates/client-host-certificate.sh.j2 +++ b/templates/client-host-certificate.sh.j2 @@ -1,5 +1,7 @@ #!/bin/bash +_retval= + host_arg= if [ $# -ne 1 ] ; then echo "You need to pass just one argument: the full hostname for wich the certificate is required" @@ -11,24 +13,43 @@ fi easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs" easy_vars_file="${easy_rsa_base_dir}/vars" if [ -f "${easy_vars_file}.tmpl" ] ; then echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." exit 1 fi +if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then + echo "" + echo "A certificate already exists" + echo "If you want to renew it, then remove the following files and run che command again:" + echo "${easy_rsa_issued_dir}/${host_arg}.crt" + echo "${easy_rsa_keys_dir}/${host_arg}.key" + echo "${easy_rsa_reqs_dir}/${host_arg}.req" + echo "" + exit 1 +fi + echo "" echo "Starting the creation of a client host certificate." echo "" cd "$easy_rsa_base_dir" ./easyrsa build-client-full "$host_arg" nopass +retval=$? -echo "" -echo "Done." -echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" -echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" -echo "" -echo "Remember that the key of the host certificates do not passphrase protected" +if [ $retval -eq 0 ] ; then + echo "" + echo "Done." + echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" + echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" + echo "" + echo "Remember that the key of the host certificates do not passphrase protected" +else + echo "" + echo "Something went wrong, the certificate creation failed" + echo "" +fi exit 0 diff --git a/templates/personal-certificate.sh.j2 b/templates/personal-certificate.sh.j2 index a0fa314..b09fe50 100644 --- a/templates/personal-certificate.sh.j2 +++ b/templates/personal-certificate.sh.j2 @@ -1,5 +1,7 @@ #!/bin/bash +_retval= + name_arg= email_arg= if [ $# -ne 2 ] ; then @@ -13,12 +15,24 @@ fi easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs" easy_vars_file="${easy_rsa_base_dir}/vars" if [ -f "${easy_vars_file}.tmpl" ] ; then echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." exit 1 fi +if [ -f "${easy_rsa_issued_dir}/${name_arg}.crt" ] ; then + echo "" + echo "A certificate already exists" + echo "If you want to renew it, then remove the following files and run che command again:" + echo "${easy_rsa_issued_dir}/${name_arg}.crt" + echo "${easy_rsa_keys_dir}/${name_arg}.key" + echo "${easy_rsa_reqs_dir}/${name_arg}.req" + echo "" + exit 1 +fi + echo "" echo "Starting the creation of a client host certificate." echo "Remember that you need to supply a passphrase for the private key." @@ -32,10 +46,18 @@ sed -i -e "s/{{ easy_rsa_req_email }}/$email_arg/g" "$easy_vars_file" ./easyrsa build-client-full "$name_arg" mv -f "${easy_vars_file}.tmpl" "$easy_vars_file" -echo "" -echo "Done." -echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt" -echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key" -echo "" +retval=$? + +if [ $retval -eq 0 ] ; then + echo "" + echo "Done." + echo "The certificate file is ${easy_rsa_issued_dir}/${name_arg}.crt" + echo "The private key file is ${easy_rsa_keys_dir}/${name_arg}.key" + echo "" +else + echo "" + echo "Something went wrong, the certificate creation failed" + echo "" +fi exit 0 diff --git a/templates/server-host-certificate.sh.j2 b/templates/server-host-certificate.sh.j2 index 3338a27..445df9b 100644 --- a/templates/server-host-certificate.sh.j2 +++ b/templates/server-host-certificate.sh.j2 @@ -1,5 +1,7 @@ #!/bin/bash +_retval= + host_arg= if [ $# -ne 1 ] ; then echo "You need to pass just one argument: the full hostname for wich the certificate is required" @@ -11,24 +13,43 @@ fi easy_rsa_base_dir={{ easy_rsa_pki_basedir }} easy_rsa_issued_dir="${easy_rsa_base_dir}/pki/issued" easy_rsa_keys_dir="${easy_rsa_base_dir}/pki/private" +easy_rsa_reqs_dir="${easy_rsa_base_dir}/pki/reqs" easy_vars_file="${easy_rsa_base_dir}/vars" if [ -f "${easy_vars_file}.tmpl" ] ; then echo "There's a template file ${easy_vars_file}.tmpl present. Check that nothing wrong happened, then remove it before proceeding." exit 1 fi +if [ -f "${easy_rsa_issued_dir}/${host_arg}.crt" ] ; then + echo "" + echo "A certificate already exists" + echo "If you want to renew it, then remove the following files and run che command again:" + echo "${easy_rsa_issued_dir}/${host_arg}.crt" + echo "${easy_rsa_keys_dir}/${host_arg}.key" + echo "${easy_rsa_reqs_dir}/${host_arg}.req" + echo "" + exit 1 +fi + echo "" echo "Starting the creation of a server host certificate." echo "" cd "$easy_rsa_base_dir" ./easyrsa build-server-full "$host_arg" nopass +retval=$? -echo "" -echo "Done." -echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" -echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" -echo "" -echo "Remember that the key of the host certificates do not passphrase protected" +if [ $retval -eq 0 ] ; then + echo "" + echo "Done." + echo "The certificate file is ${easy_rsa_issued_dir}/${host_arg}.crt" + echo "The private key file is ${easy_rsa_keys_dir}/${host_arg}.key" + echo "" + echo "Remember that the key of the host certificates do not passphrase protected" +else + echo "" + echo "Something went wrong, the certificate creation failed" + echo "" +fi exit 0 diff --git a/vars/main.yml b/vars/main.yml index 84b7d45..ddfa75a 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -21,4 +21,5 @@ easy_rsa_helper_scripts: - 'renew-client-host-certificate' - 'renew-server-host-certificate' - 'renew-personal-certificate' + - 'check-x509-certs-expiration-date'