This repository has been archived by the owner on Jan 11, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathcheck-expiration
47 lines (38 loc) · 2.19 KB
/
check-expiration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#!/bin/bash
WHO=`whoami`
if [ $WHO != "zimbra" ]
then
echo
echo "Execute this scipt as user zimbra (\"su - zimbra\")"
echo
exit 1
fi
if [ $# -ne 2 ]
then
echo
echo "Send an email notification when Zimbra TLS certificates are about to expire."
echo
echo "Usage: check-expiration [num-days] [notify-email]"
echo "Example: check-expiration 25 notify-address@example.com"
echo
exit 1
fi
DAYS="$1"
notify="$2"
expDates=$(/opt/zimbra/bin/zmcertmgr viewdeployedcrt | grep notAfter| awk -F '=' '{print $2}')
inXdays=$(($(date +%s) + (86400*$DAYS)));
while IFS= read -r expDate; do
expirationDate=$(date -d "$expDate" +%s)
if [ $inXdays -gt $expirationDate ]; then
echo -e "Subject:Zimbra TLS certificate is about to expire \n\nA Zimbra TLS certificate is about to expire, please be advised that even if you use a proxy with a certificate that does not expire, Zimbra LDAP requires a certificate that has not expired.\n\n\nOutput from zmcertmgr viewdeployedcrt:\n`/opt/zimbra/bin/zmcertmgr viewdeployedcrt`\n\n\nFor immediate remediation see: https://wiki.zimbra.com/wiki/Regenerate_Self-Signed_SSL_Certificate_-_Single-Server\n" | /opt/zimbra/common/sbin/sendmail $notify
exit 1
fi;
done <<< "$expDates"
#In case the certificate was renewed but Zimbra not restarted, zmcertmgr viewdeployedcrt shows certificate that will be used after restart, so check the running cert manually
expDate=$(cat /opt/zimbra/ssl/zimbra/server/server.crt | /opt/zimbra/common/bin/openssl x509 -noout -enddate | grep notAfter| awk -F '=' '{print $2}')
expirationDate=$(date -d "$expDate" +%s)
if [ $inXdays -gt $expirationDate ]; then
echo -e "Subject:Zimbra TLS certificate is about to expire \n\nA Zimbra TLS certificate (/opt/zimbra/ssl/zimbra/server/server.crt) is about to expire, please be advised that even if you use a proxy with a certificate that does not expire, Zimbra LDAP requires a certificate that has not expired.\n\n\n`cat /opt/zimbra/ssl/zimbra/server/server.crt | /opt/zimbra/common/bin/openssl x509 -noout -enddate -startdate -subject`\n\n\nFor immediate remediation see: https://wiki.zimbra.com/wiki/Regenerate_Self-Signed_SSL_Certificate_-_Single-Server\n" | /opt/zimbra/common/sbin/sendmail $notify
exit 1
fi;
exit 0