-
Notifications
You must be signed in to change notification settings - Fork 12
/
tls-notify-expiring-certificate.sh
executable file
·138 lines (110 loc) · 4.47 KB
/
tls-notify-expiring-certificate.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#!/usr/bin/env bash
################################################################################
# Script Name : tls-notify-expiring-certificate.sh
# Description : Used to send notification via e-mail about TLS
# certificates that will expire in XX days or less using Mailjet
# Args : URL SENDER RECIPIENT API_KEY THRESHOLD (OPTIONAL)
# Author : Wellington Ozorio <[email protected]>
################################################################################
set -o errexit
set -o pipefail
set -o nounset
function usage() {
echo "ERROR: Missing or invalid arguments!"
echo "Usage example: ${0} URL SENDER RECIPIENT API_KEY THRESHOLD (OPTIONAL)"
exit 1
}
function check_url() {
if ! host "${URL}" >/dev/null; then
echo "ERROR: URL could not be resolved. Please ensure the correct address is passed."
exit 1
fi
}
function fetch_certificate() {
# Check whether the URL can be resolved
check_url
# Define temp file used to store the certificate
local CERT_FILE
CERT_FILE=$(mktemp)
echo -n | timeout 5 openssl s_client -servername "${URL}" -connect "${URL}":443 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >"${CERT_FILE}"
local CERTIFICATE_SIZE
CERTIFICATE_SIZE=$(stat -c "%s" "${CERT_FILE}")
if [[ "${CERTIFICATE_SIZE}" -lt 1 ]]; then
echo "ERROR: Could not read the expiration date of the certificate. Please check the TLS settings of the web server."
exit 1
fi
echo "${CERT_FILE}"
}
function send_email() {
local EMAIL_API="https://api.sendgrid.com/v3/mail/send"
local SUBJECT="TLS certificate for ${URL} about to expire"
local MESSAGE="<p> Dear Site Reliability Engineer, </p> \
<p> This is to notify you that the TLS certificate for <b>${URL}</b> will expire on <b>${CERT_EXPIRY_DATE_SHORT}</b>. </p> \
<p> Please ensure a new certificate is ordered and installed in a timely fashion. There are ${DATE_DIFF} days remaining. </p> \
<p> Sincerely yours, <br>DevOps Team </p>"
local REQUEST_DATA='{
"personalizations": [
{
"to": [{"email": "'${RECIPIENT}'"}],
"dynamic_template_data": { "first_name": "Operations" }
}
],
"from": {"email": "'${SENDER}'"},
"subject":"'${SUBJECT}'",
"content": [{"type": "text/html", "value": "'${MESSAGE}'"}]
}'
echo "INFO: Sending out notification via e-mail"
local CURL_HTTP_CODE
CURL_HTTP_CODE=$(
curl \
--request POST \
--url "${EMAIL_API}" \
--header "Authorization: Bearer ${API_KEY}" \
--header "Content-Type: application/json" \
--data "${REQUEST_DATA}" \
--output /dev/null \
--write-out "%{http_code}" \
--silent
)
if [[ "${CURL_HTTP_CODE}" -lt 200 || "${CURL_HTTP_CODE}" -gt 299 ]]; then
echo "ERROR: Failed sending notification with error code ${CURL_HTTP_CODE}!"
exit 1
fi
}
function main() {
# Check if the right number of arguments was passed
if [[ "${#}" -lt 4 ]]; then
usage
fi
URL=$1
SENDER=$2
RECIPIENT=$3
API_KEY=$4
# Assign a default value of 60 (days) to the THRESHOLD variable if an argument in the 5th position is not passed
THRESHOLD=${5:-60}
local CERT_FILE
CERT_FILE=$(fetch_certificate)
# Get certificate expiration date
local CERT_EXPIRY_DATE
CERT_EXPIRY_DATE=$(openssl x509 -in "${CERT_FILE}" -enddate -noout | sed "s/.*=\(.*\)/\1/")
local CERT_EXPIRY_DATE_SHORT
CERT_EXPIRY_DATE_SHORT=$(date -d "${CERT_EXPIRY_DATE}" +%d-%b-%Y)
# Convert certificate expiration date into seconds
local CERT_EXPIRY_DATE_SECS
CERT_EXPIRY_DATE_SECS=$(date -d "${CERT_EXPIRY_DATE}" +%s)
# Convert current date into seconds
local CURRENT_DATE_SECS
CURRENT_DATE_SECS=$(date -d now +%s)
# Calculate how many days are left for the certificate to expire
local DATE_DIFF
DATE_DIFF=$(((CERT_EXPIRY_DATE_SECS - CURRENT_DATE_SECS) / 86400))
# Check if certificate will expire before the threshold
if [[ "${DATE_DIFF}" -le "${THRESHOLD}" ]]; then
echo "WARN: Oops! Certificate will expire in ${DATE_DIFF} days."
send_email
else
echo "INFO: Nothing to worry about. TLS certificate will expire only in ${DATE_DIFF} days from now. To be more precise on ${CERT_EXPIRY_DATE_SHORT}"
fi
rm -f "${CERT_FILE}"
}
main "$@"