Changeset 2545 for trunk/server


Ignore:
Timestamp:
Jul 26, 2014, 6:59:34 PM (10 years ago)
Author:
andersk
Message:
Test all certificates for expiration, including intermediates
File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/fedora/config/etc/pki/tls/certs/check.pl

    r1302 r2545  
    11#!/usr/bin/perl
    22
     3use strict;
     4use warnings;
     5use autodie;
     6use Date::Parse;
    37use File::Basename;
    4 use Date::Parse;
     8use Getopt::Long qw(:config bundling);
     9use IPC::Open2;
    510
    6 my $dir = dirname($0);
    7 chdir $dir or die "Failed to chdir('$dir'): $!";
     11chdir dirname($0);
    812
    913my $now = time();
    1014
    11 our $verbose = 0;
    12 $verbose = 1 if ($ARGV[0] eq "-v");
     15GetOptions(
     16  "verbose|v" => \my $verbose,
     17) or exit 2;
    1318
    1419use constant WARNING => 60*60*24*14; # Warn if a cert is expiring within 14 days
    1520
    1621foreach my $cert (glob "*.pem") {
    17   open(X509, "-|", qw(openssl x509 -in), $cert, qw(-enddate -noout)) or die "Couldn't invoke openssl x509: $!";
    18   chomp(my $exp = <X509>);
    19   close(X509);
    20   $exp =~ s/^notAfter=// or warn "Cert appears broken: $cert";
     22  open(CERT, "<", $cert);
     23  my $ins = do {local $/; <CERT>};
     24  close(CERT);
    2125
    22   my $time = str2time($exp);
     26  for my $in ($ins =~ /^-----BEGIN CERTIFICATE-----\n.*?^-----END CERTIFICATE-----\n/msg) {
     27    my $pid = open2(\*X509, \*IN, qw(openssl x509 -enddate -noout));
     28    print IN $in;
     29    close(IN);
     30    my $out = do {local $/; <X509>};
     31    close(X509);
     32    waitpid($pid, 0);
    2333
    24   if ($verbose || ($time - $now) <= WARNING) {
    25     printf "Certificate expiring in %.2f days: %s for ", (($time - $now) / (60.0*60*24)), $cert;
    26     system(qw(openssl x509 -in), $cert, qw(-subject -noout));
     34    my $exp;
     35    unless (defined $out and ($exp) = $out =~ /^notAfter=(.*)$/m) {
     36      warn "Cert appears broken: $cert";
     37      next;
     38    }
     39
     40    my $time = str2time($exp);
     41
     42    if ($verbose || ($time - $now) <= WARNING) {
     43      printf "Certificate expiring in %.2f days: %s for ", (($time - $now) / (60.0*60*24)), $cert;
     44      open(IN, '|-', qw(openssl x509 -subject -noout));
     45      print IN $in;
     46      close(IN);
     47    }
    2748  }
    2849}
Note: See TracChangeset for help on using the changeset viewer.