Cron job that check the expiration dates.

2022-01-20 14:05:37 +01:00 · 2022-01-20 14:05:37 +01:00 · da047368bd
parent 498405318d
commit da047368bd
3 changed files with 46 additions and 4 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -20,3 +20,8 @@ easy_rsa_req_org: 'Organization'
 easy_rsa_add_crl_url: False
 easy_rsa_crl_url: http://localhost/crl/crl.pem
 easy_rsa_critical_ca_false: True
+
+easy_rsa_alert_on_cert_expiration: False
+easy_rsa_alert_on_cert_seconds_before_expire: '2592000'
+easy_rsa_alert_on_cert_from: 'ca-noreply@example.com'
+easy_rsa_alert_on_cert_to: 'ca-noreply@example.com'
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -76,3 +76,38 @@

  when: easy_rsa_install | bool
  tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
+
+- name: Expiration check
+  block:
+  - name: Install the mailx package on EL
+    ansible.builtin.yum:
+      pkg: mailx
+      state: present
+    when:
+      - easy_rsa_install | bool
+      - ansible_distribution_file_variety == "RedHat"
+      - easy_rsa_alert_on_cert_expiration
+
+  - name: Install the mailx package on deb systems
+    ansible.builtin.apt:
+      pkg: bsd-mailx
+      state: present
+      cache_valid_time: 1800
+    when:
+      - easy_rsa_install | bool
+      - ansible_distribution_file_variety == "Debian"
+      - easy_rsa_alert_on_cert_expiration
+
+  - name: Install a cron job that runs the expiry check, daily
+    ansible.builtin.cron:
+      name: "Check on the certificate expiration"
+      job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1"
+      state: present
+      special_time: daily
+      user: root
+      cron_file: check-certificates-expiration-date
+
+  when:
+    - easy_rsa_install | bool
+    - easy_rsa_alert_on_cert_expiration
+  tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ]
--- a/templates/check-x509-certs-expiration-date.sh.j2
+++ b/templates/check-x509-certs-expiration-date.sh.j2
@ -7,13 +7,13 @@ PUB_CERTS_DIR="/srv/CA/pki/issued"
 # 1 day in seconds 86400
 # 7 days in seconds: 604800
 # 30 days in seconds: 2592000
-DAYS="2592000"
+DAYS="{{ easy_rsa_alert_on_cert_seconds_before_expire }}"
 RETVAL=

 # Email settings
 _sub=" will expire within $DAYS seconds (30 days):"
-_from="isti-ca-noreply@isti.cnr.it"
-_to="s2i2s@isti.cnr.it"
+_from="{{ easy_rsa_alert_on_cert_from }}"
+_to="{{ easy_rsa_alert_on_cert_to }}"
 _openssl="/usr/bin/openssl"

 for cert in "$PUB_CERTS_DIR/"*.crt ; do
@ -26,10 +26,12 @@ for cert in "$PUB_CERTS_DIR/"*.crt ; do
    # Send email
    if [ $RETVAL -ne 0 ] ; then
        echo "$cert ${_sub} $expiry_date"
-#            mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
+{% if easy_rsa_alert_on_cert_expiration %}
+        mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
 #            # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
 #            source ~/bin/cli_app.sh
 #            push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
+{% endif %}
    fi
 done