cert-expiry-finder

#!/bin/sh
# cert-expiry-finder (part of ossobv/vcutil) // wdoekes/2016-2024
#   // Public Domain
#
# Searches for X.509 (SSL/TLS) certificates in common locations and
# enumerates the expiry days.
#
# Usage:
#
#     cert-expiry-finder        # lists all certs and days
#     cert-expiry-finder --min  # lists the expiry nearest zero
#     cert-expiry-finder -h     # shows help and Zabbix example
#
# Other options to enable/limit scraping of Kubernetes certificates:
#
#     --with(out)-k8s-cert      # (1) certificatemanger.io resources
#     --with(out)-k8s-ingsecret # (2) tls secrets used by an ingress config
#     --with(out)-k8s-secret    # (4) tls secrets
#     --with(out)-all           # enable/disable all optional checks
#
# You can set the 'ossobv/vcutil.cert-expiry-finder.includes' label on
# the 'kube-system' namespace to an (string) value comprised of the
# bitmasks above. For example "3" for --with-k8s-cert (1) and
# --with-k8s-ingsecret (2). These then override the command line options.
#
# See also:
#
#     cert-expiry-check
#
# In some (cron) environments, we might not find all tools (like postconf!).
# Amend the PATH so we're more likely to.
PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

# Use GNU getopt(1) to reorder arguments
# Check GNU getopt availability and then use it to reorder arguments and
# set long options.
if test "$(getopt -l help -- 'h' 'a b c' -h --help 2>/dev/null)" = "\
 -h --help -- 'a b c'"; then
    argv=$(getopt \
        -l help -l min \
        -l with-all -l without-all \
        -l with-k8s-cert -l without-k8s-cert \
        -l with-k8s-ingsecret -l without-k8s-ingsecret \
        -l with-k8s-secret -l without-k8s-secret \
        -- 'h' "$@") || exit 1
    eval set --"$argv"
fi

set -u    # skip -e; we do want some results in case of failure
# set +H  # disable histexpand if you're running the stuff in your shell
s='[[:blank:]]'
S='[^[:blank:]]'

global_t0=$(date +%s)  # cache the "now" value

umask 0077
global_temp=$(mktemp)
trap "rm '$global_temp'" EXIT


enum_all_certs() {
    (
        enum_apache2_certs
        enum_dovecot_certs
        enum_etcd_certs
        enum_gitlab_certs
        enum_grafana_agent_certs
        enum_grafana_alloy_certs
        enum_haproxy_certs
        enum_kuberstuff_certs
        enum_mysql_wsrep_certs
        enum_nginx_certs
        enum_openvpn_certs
        enum_postfix_certs
        enum_promtail_certs
        enum_ser_certs
        enum_systemd_certs
        enum_vault_certs
        enum_zabbix_certs
    ) | LC_ALL=C sort -u
}

enum_apache2_certs() {
    find /etc/apache2/apache2.conf \
         /etc/apache2/mods-enabled/ssl.conf \
         /etc/apache2/sites-enabled/ \
        '(' -type f -o -type l ')' '!' -name '.*' -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -ne "
        s/^$s*SSLCertificateFile$s\+\($S*\).*/\1/p"
}

enum_dovecot_certs() {
    find /etc/dovecot/ '(' -type f -o -type l ')' '!' -name '.*' \
        -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -ne "
        s/^ssl_cert_file$s*=$s*\($S\+\).*/\1/p"
}

enum_etcd_certs() {
    sed -e "
        /^$s*\(cert\|trusted-ca\)-file:/"'!'"d
        s/^[^:]*:$s*//
        s/$s*$//
    " /etc/etcd/etcd.conf.yml 2>/dev/null || true
}

enum_gitlab_certs() {
    sed -e "
        /^nginx[[].ssl_certificate.[]]/!d
        s/[^=]*=$s*[\"']\([^\"']*\)[\"'].*/\1/
    " /etc/gitlab/gitlab.rb 2>/dev/null || true  # '"vimsynfix
}

enum_grafana_agent_certs() {
    sed -e "
        /^$s*cert_file:/!d;s/^[^:]*:$s*//;s/$s*//
    " /etc/grafana-agent.yaml 2>/dev/null || true
}

enum_grafana_alloy_certs() {
    sed -e "
        /^$s*cert_file$s*=/!d;s/^[^=]*=$s*//;s/\"//g
    " /etc/alloy/config.alloy 2>/dev/null || true
}

enum_haproxy_certs() {
    find /etc/haproxy/ -name '*.cfg' -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -e "
        /^$s*bind$s.*${s}ssl\($\|$s\)/!d
        s/${s}\(ca-\(verify-\)\?file\|crl-file\|crt\(-list\)\?\)$s\+/\n|/g" |
    sed -e "/^|/!d;s/^.//;s/$s.*//" | while read f; do
      test -d "$f" && find "$f" -maxdepth 1 -type f || echo "$f"; done
}

enum_kuberstuff_certs() {
    # Expected paths:
    #   /etc/kubernetes/pki
    #   /var/lib/kube-apiserver/pki
    #   /var/lib/kube-controller-manager/pki
    #   /var/lib/kube-scheduler/pki
    #   /var/lib/kubelet/pki
    # Take only files with BEGIN CERTIFICATE. Doing it differently than the
    # others were we start with the configuration file. An alternative could
    # be to read /etc/default/kube*.
    find /etc/kubernetes/pki /var/lib/kube*/pki \
        -name '*.crt' 2>/dev/null |
        xargs --no-run-if-empty grep -l '^-----BEGIN CERTIFICATE-----'
        # no dollar, CR optional
}

enum_mysql_wsrep_certs() {
    find /etc/mysql/ -type f -name '*.cnf' -print0 2>/dev/null |
        xargs --no-run-if-empty -0 sed -ne "
            s/^\(tcert\|tca\|ssl-cert\|ssl-ca\)$s*=$s*\($S*\).*/\2/p" \
                2>/dev/null
    find /etc/mysql/ -type f -name '*.cnf' -print0 2>/dev/null |
        xargs --no-run-if-empty -0 grep 'wsrep_provider_options' 2>/dev/null |
            tr ';' '\n' | sed -ne "
                s/^\(socket.ssl_ca\|socket.ssl_cert\)=\($S*\).*/\2/p"
}

enum_nginx_certs() {
    find /etc/nginx/nginx.conf \
         /etc/nginx/conf.d/ \
         /etc/nginx/configs/ \
         /etc/nginx/sites-enabled/ \
        '(' -type f -o -type l ')' '!' -name '.*' -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -ne "
        s/^$s*ssl_certificate$s\+\($S*\).*;.*/\1/p"
}

enum_openvpn_certs() {
    local f
    find /etc/openvpn /etc/openvpn-nl -maxdepth 2 -name '*.conf' 2>/dev/null |
    while read -r f; do
        local fpath certs cert
        local keywords='ca\|cert\|crl-verify\|extra-certs'
        certs=$(cat "$f" | sed -ne "
            s/^$s*\($keywords\)$s\+\([^[:blank:]#]*\).*/\2/p")
        fpath=${f%/*}
        for cert in $certs; do
            test "${cert#/}" = "${cert}" && cert=$fpath/$cert
            echo "$cert"
        done
        # Also list the config itself.
        # Maybe there are inline certs in <ca> and <cert> and <extra-cert>.
        # The enumerate_x509_expiry_seconds will extract all certificates.
        echo "$f"
    done
}

enum_postfix_certs() {
    postconf 'smtpd_tls_cert_file' 2>/dev/null |
    sed -e 's/.* = *//'
}

enum_promtail_certs() {
    find /etc/promtail/ -name '*.yaml' -print0 2>/dev/null |
        xargs --no-run-if-empty -0 sed -ne "
            s/^$s*cert_file$s*:$s*\($S*\).*/\1/p"
}

enum_ser_certs() {
    # tls_certificate = "XYZ"
    find /etc/kamailio/ /etc/opensips/ /etc/ser/ \
        '(' -type f -o -type l ')' -name '*.cfg' -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -ne "
        s/^$s*tls_certificate$s*=$s*\"\($S*\)\".*/\1/p"

    # modparam("tls", "certificate", "XYZ")
    local mp=modparam
    local crt=certificate
    find /etc/kamailio/ /etc/opensips/ /etc/ser/ \
        '(' -type f -o -type l ')' -name '*.cfg' -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -ne "
        s/^$s*$mp(\"tls\(_mgm\)\?\",$s*\"$crt\"$s*,$s*\"\([^\"]*\)\".*/\2/p"
}

enum_systemd_certs() {
    find /etc/systemd/ -maxdepth 2 -name '*.conf' -print0 2>/dev/null |
        xargs --no-run-if-empty -0 sed -ne "
            s/^ServerCertificateFile$s*=$s*\($S*\).*/\1/p"
}

enum_vault_certs() {
    find /etc/vault.d/ -type f -name '*.hcl' -print0 2>/dev/null |
    xargs --no-run-if-empty -0 sed -ne "
        s/^$s*tls_cert_file$s*=$s*\"\([^\"]*\)\".*/\1/p"
}

enum_zabbix_certs() {
    find /etc/zabbix/ -maxdepth 2 -name '*.conf' -print0 2>/dev/null |
        xargs --no-run-if-empty -0 sed -ne "
            s/^TLSCertFile$s*=$s*\($S*\).*/\1/p"
}

list_k8s_cert_expiry_days() {
    local includes="$1"

    if ! command -v kubectl >/dev/null; then
        return
    fi

    local k8s_label='ossobv/vcutil\.cert-expiry-finder\.includes'  # \-escape .
    local name namespace notafter expiry unixtime context context_includes
    local title=Kubernetes
    kubectl config get-contexts --no-headers -oname |
    while read -r context; do
        context_includes=$(
            kubectl --context="$context" get ns kube-system -o \
                jsonpath="{.metadata.labels.$k8s_label}")
        test -n "$context_includes" || context_includes=$includes

        if test "$((context_includes & 1))" -ne 0; then
            # Get certificate expiry dates from certificates.cert-manager.io
            kubectl --context="$context" get certificates.cert-manager.io -A \
                -ojson 2>/dev/null |
            jq -r '.items[] | select(.status.conditions[0]["status"]=="True"
                and .status.conditions[0]["reason"]=="Ready") |
                (.metadata.name + " " + .metadata.namespace + " " +
                .status.notAfter)' |
            while read name namespace notafter; do
                unixtime=$(date --date="$notafter" +%s)
                expiry=$(((unixtime - global_t0) / 86400))
                printf '%-7d %s (NS = %s, CRT = %s, CTX = %s)\n' \
                       $expiry "$title" "$namespace" "$name" "$context"
            done
        fi

        if test "$((context_includes & 6))" -ne 0; then
            # Get certificate expiry dates from secrets, but only if they
            # are not annotated with cert-manager.io (because we did those
            # already)
            local cert annotations extra tls_used_by_ingress
            tls_used_by_ingress=$(
                kubectl --context="$context" get ingress -A -o json | jq -r '
                .items[]|.metadata.namespace+"."+.spec.tls[]?.secretName' |
                sort -u)
            kubectl --context="$context" get secrets -A \
                    --field-selector=type=kubernetes.io/tls -ojson |
            jq -r '.items[] | (.data["tls.crt"] + " " + .metadata.name + " " +
                   .metadata.namespace + " " +
                   .metadata.annotations["cert-manager.io/issuer-group"])' |
            while read -r cert name namespace annotations; do
                if test "$((context_includes & 1))" -ne 0 &&
                        test -n "$annotations"; then
                    :  # has annotation, skip
                elif test "$((context_includes & 4))" -eq 0 &&
                        ! echo "$tls_used_by_ingress" |
                        grep -qxF "$namespace.$name"; then
                    # TODO: It would be nice if we did see these in some cases;
                    # these secrets could contain client certs for instance.
                    :  # $namespace.$name not used in any ingress
                else
                    echo "$cert" | base64 -d | enumerate_x509_expiry_seconds |
                    while read -r expiry extra; do
                        expiry=$((expiry / 86400))
                        printf '%-7d %s (NS = %s, CRT = %s, CTX = %s, %s)\n' \
                            $expiry "$title" "$namespace" "$name" "$context" \
                            "$extra"
                    done
                fi
            done
        fi
    done
}

list_local_cert_expiry_days() {
    local file expiry extra
    for file in "$@"; do
        expiry_after "$file" | while IFS=' ' read -r expiry extra; do
            if test -n "$expiry"; then
                expiry=$((expiry / 86400))
                test -z "$extra" || extra=" ($extra)"
                printf '%-7d %s%s\n' $expiry "$file" "$extra"
            else
                echo "expiry parse error: $file" >&2
            fi
        done
    done
}

enumerate_crl_expiry_seconds() {
    local date subject
    foreach_crl -noout -issuer -nextupdate | awk '
        /^issuer=/{sub(/^[^=]*=/, "");subj=$0}
        /^nextUpdate=/{
            sub(/^[^=]*=/, "");tm=$0;print tm "|" subj;tm=0;subj=""}
    ' | while IFS='|' read -r date subject; do
        local unixtime delta
        unixtime=$(date --date="$date" +%s)
        delta=$((unixtime - global_t0))
        echo "$delta $subject"
    done
}

enumerate_x509_expiry_seconds() {
    local date subject
    foreach_x509 -noout -subject -dates | awk '
        /^subject=/{sub(/^[^=]*=/, "");subj=$0}
        /^notAfter=/{sub(/^[^=]*=/, "");tm=$0;print tm "|" subj;tm=0;subj=""}
    ' | while IFS='|' read -r date subject; do
        local unixtime delta
        unixtime=$(date --date="$date" +%s)
        delta=$((unixtime - global_t0))
        echo "$delta $subject"
    done
}

foreach_crl() {
    local line
    awk '
        /^-----BEGIN X509 CRL-----/{buf="";start=1}
        /^-----END X509 CRL-----/{
            if(start){gsub("\r","",buf);print buf};start=0}
        {if(start==2)buf=(buf $0);if(start)start=2}
    ' | while read -r line; do
        cat >$global_temp <<EOF
-----BEGIN X509 CRL-----
$(echo "$line" | base64 -d | base64)
-----END X509 CRL-----
EOF
        openssl crl -in "$global_temp" "$@"
    done
}

foreach_x509() {
    local line
    awk '
        /^-----BEGIN CERTIFICATE-----/{buf="";start=1}
        /^-----END CERTIFICATE-----/{
            if(start){gsub("\r","",buf);print buf};start=0}
        {if(start==2)buf=(buf $0);if(start)start=2}
    ' | while read -r line; do
        cat >$global_temp <<EOF
-----BEGIN CERTIFICATE-----
$(echo "$line" | base64 -d | base64)
-----END CERTIFICATE-----
EOF
        openssl x509 -in "$global_temp" "$@"
    done
}

expiry_after() {
    local file
    file=$1
    case $file in
    *.crl|*/crl.pem)
        enumerate_crl_expiry_seconds <"$file"
        ;;
    *)
        enumerate_x509_expiry_seconds <"$file"
        ;;
    esac
}

list_cert_expiry_days() {
    local includes="$1"
    list_local_cert_expiry_days $(enum_all_certs)
    list_k8s_cert_expiry_days "$includes"
}

take_negative_value_nearest_zero() {
    # Instead of the lowest value, we're interested in the value that's
    # closest to (below) zero.
    # I.e.: [2,3,4] => 2, [-2,-1,2,3] => -1, [-1, 0, 1] => -1
    # If you want, you could then ignore values that are very very low
    # without missing out on values that are now invalid.
    awk '{
        if(n==""){n=$1}
        else if(n>=0&&$1<0){n=$1}
        else if(n<0&&$1<0&&$1>n){n=$1}
        else if(n>=0&&$1<n){n=$1}
    }
    END{if(n!=""){print n}else{exit 1}}'
}

usage() {
    cat << __EOF__
Usage: cert-expiry-finder [--min]

Enumerates all X.509 (SSL/TLS) certificates from common known locations
like nginx, apache2, postfix, and lists how many days there are left to
expiry.

Zabbix example:

    # The shortest amount of days before expiry of all certificates found on
    # this machine.
    UserParameter=cert.server.minexpiry,cert-expiry-finder --min || echo 5555

__EOF__
}


OPTIND=0
INCLUDE=0       # --with-*/--without-*
SUMMARY=false   # --min
for arg in "$@"; do
    case $arg in
    -h|--help) usage; exit 0;;
    --min) SUMMARY=true;;
    --with-k8s-cert) INCLUDE=$((INCLUDE | 1));;
    --without-k8s-cert) INCLUDE=$((INCLUDE & ~1));;
    --with-k8s-ingsecret) INCLUDE=$((INCLUDE | 2));;
    --without-k8s-ingsecret) INCLUDE=$((INCLUDE & ~2));;
    --with-k8s-secret) INCLUDE=$((INCLUDE | 4));;
    --without-k8s-secret) INCLUDE=$((INCLUDE & ~4));;
    --with-all) INCLUDE=255;;
    --without-all) INCLUDE=0;;
    --) OPTIND=$((OPTIND+1)); break;;
    -*) echo "Invalid option $arg; see --help for help" >&2; exit 1;;
    *) break;;
    esac
    OPTIND=$((OPTIND+1))
done
shift $OPTIND


# Files specified?
if test $# -gt 0; then
    if $SUMMARY; then
        for file in "$@"; do
            list_local_cert_expiry_days "$file"
        done | take_negative_value_nearest_zero
    else
        for file in "$@"; do
            list_local_cert_expiry_days "$file"
        done
    fi
    exit 0
fi

# No files
if $SUMMARY; then
    list_cert_expiry_days $INCLUDE | take_negative_value_nearest_zero
else
    list_cert_expiry_days $INCLUDE
fi

# vim: set ts=8 sw=4 sts=4 et ai: