Main menu:

Sponsoring

Please consider a small donation:

 

 

Or you can donate bitcoin:

 

Thanks to TekLinks in Birmingham, AL, for providing colocation and bandwidth.

Page Rank

Fame

FOSS Force Best Blog--2013 Award

Recent posts

Recent comments

About this blog

I am Eric Hameleers, and this is where I think out loud.
More about me.

Search

My Favourites

Slackware

Calendar

November 2014
M T W T F S S
« Oct    
 12
3456789
10111213141516
17181920212223
24252627282930

RSS Alien's Slackware packages

RSS Alien's unofficial KDE Slackware packages

RSS Alien's multilib packages

Meta

Watching out for expiring SSL certificates

I guess that, like me, you will be using one or more SSL certificates to encrypt client/server communications.

I use self-signed certificates as well as several which I created at http://CAcert.org/ for encrypting traffic between me and my web server, my IMAP server, my SMTP server and more. Invariably these will eventually expire, because that is part of the blanket of security you apply to your services.

An expired server certificate should at least generate warnings when a client connects to it, some clients will even refuse to connect to an encrypted data stream using an expired certificate.

So, you’ll have to watch out for expiration of your certificates, and replace them with new ones before any of the client programs will be affected.

There is a one-liner command to show you when a SSL certificate (let’s call it “somecert.pem”) expires:

# openssl x509 -noout -in somecert.pem -enddate | cut -d= -f2-

The command returns something like:

Nov 29 12:20:12 2010 GMT 

I use this command in a cron job that checks all SSL certificates in the “/etc/ssl/certs/” directory of my Slackware server for imminent expiration and starts sending me daily emails one month in advance. This is the script’s content, I scheduled it to run every day:

#!/bin/bash
#---------------------------------------------------------------------
# Check SSL certificate expiry. Warn root via email.
# Eric Hameleers, 23may2005
#---------------------------------------------------------------------
CERTDIR="/etc/ssl/certs"
THE_DATE=$(date +%Y%m%d_%H%M)
WARNDAYS=31
#---------------------------------------------------------------------
TODAY=$(( $(date +%s)/86400 ))
for i in ${CERTDIR}/*.pem ; do
EXPDATE=$(openssl x509 -noout -in $i -enddate | cut -d= -f2-)
EXPDAY=$(( $(date -d "${EXPDATE}" +%s)/86400 ))
if [ $(($EXPDAY-$TODAY)) -le $WARNDAYS ] ; then
(cat <<EOT
!!! SSL CERTIFICATE EXPIRY !!!
==============================
The SSL Certificate '$i'
which is located in directory '${CERTDIR}'
will expire in less than $(($EXPDAY-$TODAY)) days!
NOTE:
You can check the contents of this certificate by running
'openssl x509 -text -noout -in $i'
==============================
Your Administrator.
EOT
) | mail -s "SSL Cert '$i' pending expiry on $(hostname)" root
fi
done

Hope it can be of use to some of you.

Eric

Comments

Comment from alienbob
Posted: November 19, 2010 at 14:57

Oops, chopp in ##slackware pointed out the script was giving errors. Turned out I did a bad job of converting into $() .
The post has been updated with a working version of the script.

Eric

Comment from Chris Abela
Posted: November 28, 2010 at 21:41

root@darkstar:/etc# cat /etc/cron.daily/certwatch
#!/bin/sh
#
# Will check all certificates stored in $CERTDIR for their expiration date,

I think that it is already available

Comment from alienbob
Posted: November 28, 2010 at 21:49

Hahaha!

You know, I have never seen that script before. I wrote the certificate checker for my Slackware 10.0 server, a long time ago, and as I am in the process of migrating to a new 13.1 server I am re-creating stuff to give me the functionality on 13.1 that I am used to have on 10.0.

But I failed to consider the possibility that something like certwatch got added in the meantime.

I guess I have never used SSL certificates on anything else than my old server, so the /etc/cron.daily/certwatch script never triggered on any of my Slackware desltop machines.

Thanks for pointing it out Chris.

Eric

Comment from Richard
Posted: May 20, 2011 at 13:58

I like the new script because it works.
And because it is small, easy to read and appropriate for Slackware.

The old “certwatch” script does not work!
It only searches for real files (find -type f ) and all of the PEM files are symbolic links… so it never even looks at them… (Edit the script and put a “set -x” near the top and then look at the output)

What do you name your script? I call it “certalien”
and it now sits happily in my /etc/cron.daily directory.

Pingback from Cron warns me ca-certificates.crt is about to expire.
Posted: November 25, 2011 at 02:08

[...] parameter). * When running the script in a terminal to stdout, I borrowed some script snippets from Eric to show a list of problematic certificates. Only thing remaining is get updated certificates. [...]

Pingback from Slackware 14.0 RC4 – Page 13
Posted: September 16, 2012 at 22:59

[...] ca-certificates-20120623-noarch-2 package using a weekly cron script based on code from Alien Bob: http://alien.slackbook.org/blog/watc…-certificates/ The expired certificate is: !!! SSL CERTIFICATE EXPIRY !!! ============================== The [...]

Write a comment