From da047368bd99f75e9d2a95ed00dcc7cbe92c700d Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Thu, 20 Jan 2022 14:05:37 +0100
Subject: [PATCH] Cron job that check the expiration dates.

---
 defaults/main.yml                             |  5 +++
 tasks/main.yml                                | 35 +++++++++++++++++++
 .../check-x509-certs-expiration-date.sh.j2    | 10 +++---
 3 files changed, 46 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index ef62266..874b56c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -20,3 +20,8 @@ easy_rsa_req_org: 'Organization'
 easy_rsa_add_crl_url: False
 easy_rsa_crl_url: http://localhost/crl/crl.pem
 easy_rsa_critical_ca_false: True
+
+easy_rsa_alert_on_cert_expiration: False
+easy_rsa_alert_on_cert_seconds_before_expire: '2592000'
+easy_rsa_alert_on_cert_from: 'ca-noreply@example.com'
+easy_rsa_alert_on_cert_to: 'ca-noreply@example.com'
diff --git a/tasks/main.yml b/tasks/main.yml
index e4b00c3..6965604 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -76,3 +76,38 @@
 
   when: easy_rsa_install | bool
   tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
+
+- name: Expiration check
+  block:
+  - name: Install the mailx package on EL
+    ansible.builtin.yum:
+      pkg: mailx
+      state: present
+    when:
+      - easy_rsa_install | bool
+      - ansible_distribution_file_variety == "RedHat"
+      - easy_rsa_alert_on_cert_expiration
+
+  - name: Install the mailx package on deb systems
+    ansible.builtin.apt:
+      pkg: bsd-mailx
+      state: present
+      cache_valid_time: 1800
+    when:
+      - easy_rsa_install | bool
+      - ansible_distribution_file_variety == "Debian"
+      - easy_rsa_alert_on_cert_expiration
+
+  - name: Install a cron job that runs the expiry check, daily
+    ansible.builtin.cron:
+      name: "Check on the certificate expiration"
+      job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1"
+      state: present
+      special_time: daily
+      user: root
+      cron_file: check-certificates-expiration-date
+
+  when:
+    - easy_rsa_install | bool
+    - easy_rsa_alert_on_cert_expiration
+  tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ]
diff --git a/templates/check-x509-certs-expiration-date.sh.j2 b/templates/check-x509-certs-expiration-date.sh.j2
index 498924e..4613588 100644
--- a/templates/check-x509-certs-expiration-date.sh.j2
+++ b/templates/check-x509-certs-expiration-date.sh.j2
@@ -7,13 +7,13 @@ PUB_CERTS_DIR="/srv/CA/pki/issued"
 # 1 day in seconds 86400
 # 7 days in seconds: 604800
 # 30 days in seconds: 2592000
-DAYS="2592000"
+DAYS="{{ easy_rsa_alert_on_cert_seconds_before_expire }}"
 RETVAL=
 
 # Email settings
 _sub=" will expire within $DAYS seconds (30 days):"
-_from="isti-ca-noreply@isti.cnr.it"
-_to="s2i2s@isti.cnr.it"
+_from="{{ easy_rsa_alert_on_cert_from }}"
+_to="{{ easy_rsa_alert_on_cert_to }}"
 _openssl="/usr/bin/openssl"
 
 for cert in "$PUB_CERTS_DIR/"*.crt ; do
@@ -26,10 +26,12 @@ for cert in "$PUB_CERTS_DIR/"*.crt ; do
     # Send email
     if [ $RETVAL -ne 0 ] ; then
         echo "$cert ${_sub} $expiry_date"
-#            mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
+{% if easy_rsa_alert_on_cert_expiration %}
+        mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
 #            # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
 #            source ~/bin/cli_app.sh
 #            push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
+{% endif %}
     fi
 done