From da047368bd99f75e9d2a95ed00dcc7cbe92c700d Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Thu, 20 Jan 2022 14:05:37 +0100 Subject: [PATCH] Cron job that check the expiration dates. --- defaults/main.yml | 5 +++ tasks/main.yml | 35 +++++++++++++++++++ .../check-x509-certs-expiration-date.sh.j2 | 10 +++--- 3 files changed, 46 insertions(+), 4 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index ef62266..874b56c 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -20,3 +20,8 @@ easy_rsa_req_org: 'Organization' easy_rsa_add_crl_url: False easy_rsa_crl_url: http://localhost/crl/crl.pem easy_rsa_critical_ca_false: True + +easy_rsa_alert_on_cert_expiration: False +easy_rsa_alert_on_cert_seconds_before_expire: '2592000' +easy_rsa_alert_on_cert_from: 'ca-noreply@example.com' +easy_rsa_alert_on_cert_to: 'ca-noreply@example.com' diff --git a/tasks/main.yml b/tasks/main.yml index e4b00c3..6965604 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -76,3 +76,38 @@ when: easy_rsa_install | bool tags: [ 'easyrsa', 'easy_rsa', 'ca' ] + +- name: Expiration check + block: + - name: Install the mailx package on EL + ansible.builtin.yum: + pkg: mailx + state: present + when: + - easy_rsa_install | bool + - ansible_distribution_file_variety == "RedHat" + - easy_rsa_alert_on_cert_expiration + + - name: Install the mailx package on deb systems + ansible.builtin.apt: + pkg: bsd-mailx + state: present + cache_valid_time: 1800 + when: + - easy_rsa_install | bool + - ansible_distribution_file_variety == "Debian" + - easy_rsa_alert_on_cert_expiration + + - name: Install a cron job that runs the expiry check, daily + ansible.builtin.cron: + name: "Check on the certificate expiration" + job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1" + state: present + special_time: daily + user: root + cron_file: check-certificates-expiration-date + + when: + - easy_rsa_install | bool + - easy_rsa_alert_on_cert_expiration + tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ] diff --git a/templates/check-x509-certs-expiration-date.sh.j2 b/templates/check-x509-certs-expiration-date.sh.j2 index 498924e..4613588 100644 --- a/templates/check-x509-certs-expiration-date.sh.j2 +++ b/templates/check-x509-certs-expiration-date.sh.j2 @@ -7,13 +7,13 @@ PUB_CERTS_DIR="/srv/CA/pki/issued" # 1 day in seconds 86400 # 7 days in seconds: 604800 # 30 days in seconds: 2592000 -DAYS="2592000" +DAYS="{{ easy_rsa_alert_on_cert_seconds_before_expire }}" RETVAL= # Email settings _sub=" will expire within $DAYS seconds (30 days):" -_from="isti-ca-noreply@isti.cnr.it" -_to="s2i2s@isti.cnr.it" +_from="{{ easy_rsa_alert_on_cert_from }}" +_to="{{ easy_rsa_alert_on_cert_to }}" _openssl="/usr/bin/openssl" for cert in "$PUB_CERTS_DIR/"*.crt ; do @@ -26,10 +26,12 @@ for cert in "$PUB_CERTS_DIR/"*.crt ; do # Send email if [ $RETVAL -ne 0 ] ; then echo "$cert ${_sub} $expiry_date" -# mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date" +{% if easy_rsa_alert_on_cert_expiration %} + mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date" # # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ # # source ~/bin/cli_app.sh # push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null +{% endif %} fi done