Cron job that check the expiration dates.
This commit is contained in:
parent
498405318d
commit
da047368bd
|
@ -20,3 +20,8 @@ easy_rsa_req_org: 'Organization'
|
||||||
easy_rsa_add_crl_url: False
|
easy_rsa_add_crl_url: False
|
||||||
easy_rsa_crl_url: http://localhost/crl/crl.pem
|
easy_rsa_crl_url: http://localhost/crl/crl.pem
|
||||||
easy_rsa_critical_ca_false: True
|
easy_rsa_critical_ca_false: True
|
||||||
|
|
||||||
|
easy_rsa_alert_on_cert_expiration: False
|
||||||
|
easy_rsa_alert_on_cert_seconds_before_expire: '2592000'
|
||||||
|
easy_rsa_alert_on_cert_from: 'ca-noreply@example.com'
|
||||||
|
easy_rsa_alert_on_cert_to: 'ca-noreply@example.com'
|
||||||
|
|
|
@ -76,3 +76,38 @@
|
||||||
|
|
||||||
when: easy_rsa_install | bool
|
when: easy_rsa_install | bool
|
||||||
tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
|
tags: [ 'easyrsa', 'easy_rsa', 'ca' ]
|
||||||
|
|
||||||
|
- name: Expiration check
|
||||||
|
block:
|
||||||
|
- name: Install the mailx package on EL
|
||||||
|
ansible.builtin.yum:
|
||||||
|
pkg: mailx
|
||||||
|
state: present
|
||||||
|
when:
|
||||||
|
- easy_rsa_install | bool
|
||||||
|
- ansible_distribution_file_variety == "RedHat"
|
||||||
|
- easy_rsa_alert_on_cert_expiration
|
||||||
|
|
||||||
|
- name: Install the mailx package on deb systems
|
||||||
|
ansible.builtin.apt:
|
||||||
|
pkg: bsd-mailx
|
||||||
|
state: present
|
||||||
|
cache_valid_time: 1800
|
||||||
|
when:
|
||||||
|
- easy_rsa_install | bool
|
||||||
|
- ansible_distribution_file_variety == "Debian"
|
||||||
|
- easy_rsa_alert_on_cert_expiration
|
||||||
|
|
||||||
|
- name: Install a cron job that runs the expiry check, daily
|
||||||
|
ansible.builtin.cron:
|
||||||
|
name: "Check on the certificate expiration"
|
||||||
|
job: "/usr/local/bin/check-x509-certs-expiration-date >/dev/null 2>&1"
|
||||||
|
state: present
|
||||||
|
special_time: daily
|
||||||
|
user: root
|
||||||
|
cron_file: check-certificates-expiration-date
|
||||||
|
|
||||||
|
when:
|
||||||
|
- easy_rsa_install | bool
|
||||||
|
- easy_rsa_alert_on_cert_expiration
|
||||||
|
tags: [ 'easyrsa', 'easy_rsa', 'ca', 'easy_rsa_expiry_check' ]
|
||||||
|
|
|
@ -7,13 +7,13 @@ PUB_CERTS_DIR="/srv/CA/pki/issued"
|
||||||
# 1 day in seconds 86400
|
# 1 day in seconds 86400
|
||||||
# 7 days in seconds: 604800
|
# 7 days in seconds: 604800
|
||||||
# 30 days in seconds: 2592000
|
# 30 days in seconds: 2592000
|
||||||
DAYS="2592000"
|
DAYS="{{ easy_rsa_alert_on_cert_seconds_before_expire }}"
|
||||||
RETVAL=
|
RETVAL=
|
||||||
|
|
||||||
# Email settings
|
# Email settings
|
||||||
_sub=" will expire within $DAYS seconds (30 days):"
|
_sub=" will expire within $DAYS seconds (30 days):"
|
||||||
_from="isti-ca-noreply@isti.cnr.it"
|
_from="{{ easy_rsa_alert_on_cert_from }}"
|
||||||
_to="s2i2s@isti.cnr.it"
|
_to="{{ easy_rsa_alert_on_cert_to }}"
|
||||||
_openssl="/usr/bin/openssl"
|
_openssl="/usr/bin/openssl"
|
||||||
|
|
||||||
for cert in "$PUB_CERTS_DIR/"*.crt ; do
|
for cert in "$PUB_CERTS_DIR/"*.crt ; do
|
||||||
|
@ -26,10 +26,12 @@ for cert in "$PUB_CERTS_DIR/"*.crt ; do
|
||||||
# Send email
|
# Send email
|
||||||
if [ $RETVAL -ne 0 ] ; then
|
if [ $RETVAL -ne 0 ] ; then
|
||||||
echo "$cert ${_sub} $expiry_date"
|
echo "$cert ${_sub} $expiry_date"
|
||||||
# mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
|
{% if easy_rsa_alert_on_cert_expiration %}
|
||||||
|
mail -s "$cert $_sub" -r "$_from" "$_to" <<< "Warning: The TLS/SSL certificate ($cert) will expire soon on $HOSTNAME [$(date)]: $expiry_date"
|
||||||
# # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
|
# # See https://www.cyberciti.biz/mobile-devices/android/how-to-push-send-message-to-ios-and-android-from-linux-cli/ #
|
||||||
# source ~/bin/cli_app.sh
|
# source ~/bin/cli_app.sh
|
||||||
# push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
|
# push_to_mobile "$0" "$_sub. See $_to email for detailed log. -- $HOSTNAME " >/dev/null
|
||||||
|
{% endif %}
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue