cert_auto_updater/check_ssl_validity.sh at master · parinapatel/cert_auto_updater · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
#!/bin/bash
#  By Parin Patel  April2020


# Test for OpenSSL - if not installed stop here.
if ! [[ -x $(which openssl) ]]; then
  printf "\nOpenSSL not found or not executable.\nPlease install OpenSSL before proceeding.\n\n"
  exit 1
fi

if [[ $(uname) == "Darwin" ]]
then
if ! [[ -x $(which gtimeout) ]]; then
  printf "\gtimeout not found or not executable.\nPlease install gtimeout before proceeding.\n brew install coreutils \n\n"
  exit 1
fi

else
if ! [[ -x $(which timeout) ]]; then
  printf "\timeout not found or not executable.\nPlease install timeout before proceeding.\n\n"
  exit 1
fi

fi

### user adjustable variables ###
#openssl query timeout:
if [[ $(uname) == "Darwin" ]]
then
  openssl_timeout="gtimeout 10"
else
  openssl_timeout="timeout 10"
fi
# 30 days is default on warnings - overidden on command line with '-d':
days_to_warn=30
# default name for file lists
sitelist=./websites.txt

### Clear/list/set defaults for variables ###
epoch_day=86400
epoch_warning=$((days_to_warn*epoch_day))
regex_numbers='^[0-9]+$'
expire="0"
website=""
port=""
tls="0"
sTLS=""
show_tls=""
certfilename=""
location=""
filename=""
displaysite=""
#COLORS
color="0"
RED=$(tput setaf 1)    #expired!!
GREEN=$(tput setaf 2)  #within bounds
YELLOW=$(tput setaf 3) #warning/date close!
NC=$(tput sgr0)        #reset to normal
#
usage="
$(basename "$0") [-h] [-c] [-d DAYS] [-t TIMEOUT] [-f FILENAME] | [-w WEBSITE] | [-s SITELIST]

Retrieve the expiration date(s) on SSL certificate(s) using OpenSSL.

Usage:
    -h  Help

    -c  Color output

    -d  Amount of days to show warnings (default is 30 days)
        Example: -d 15

    -t  Amount of seconds to wait for timeout (default is 10 secs)
        Example: -t 3

    -f  SSL date from FILENAME
        Example: -f /home/user/example.pem

    -w  SSL date from SITE(:PORT) (Port defaults to 443)
        Example: -w www.example.com

    -s  SSL date(s) from SITELIST
        Example:      -s ./websites.txt
        List format:  sub.domain.tld:993 (one per line - port optional)

Example:
    $ $(basename "$0") -c -d 14 -s ./websites.txt

    WARNS (in color) if within 14 days of expiring on each entry in the file list.

"

#FUNCTIONS

is_integer() {
    if ! [[ "$1" =~ $regex_numbers ]]; then
      printf "\nError.\nNot a number. You used a parameter that requires a whole number.\n$usage"
      exit 1
    fi
}
menu_input() {
  echo
  echo "1: Enter file location of certificate"
  echo "2: Enter an Internet site in form of subdomain.domain.tld(:port)"
  echo
  read -p "Enter 1 or 2 (anything else quits): " -n 1 -r
  echo
}
get_lookup_input() {
    location=""
    echo
    read -p "Please enter the $lookuptype location: " location
}
set_format() {
    set_formatting="%-40s%-25s\n"
    set_formatting_green=$set_formatting
    set_formatting_yellow=$set_formatting
    set_formatting_red=$set_formatting
    printf "\nWarning is $days_to_warn days.\n"
    printf "Color is "
    if [[ $color == "1" ]]; then
      set_formatting_green="$GREEN%-40s$NC%-25s\n"
      set_formatting_yellow="$YELLOW%-40s$NC%-25s\n"
      set_formatting_red="$RED%-40s$NC%-25s\n"
      printf "enabled.\n\n"
    else
      printf "disabled.\n\n"
    fi
    printf "$set_formatting" "LOCATION" "EXPIRATION DATE"
    printf "$set_formatting" "--------" "---------------"
}
parse_port() {
    port=443
    tls="0"
    show_tls=""
    parseurl=$(echo $website | awk '$1 ~ /^.*:/' | cut -d':' -f1)
    parseport=$(echo $website | awk '$1 ~ /^.*:/' | cut -d':' -f2)
    if [[ $parseport =~ $regex_numbers ]]; then # -> port was found
      website=$parseurl
      port=$parseport
      if [[ $port == "587" ]]; then # Use TLS lookup and notify
        show_tls=" (TLS)"
        tls="1"
      fi
    fi
}
check_expiry() {
    expire="0"
    # use epoch times for calcs/compares
    today_epoch="$(date +%s)"
    sTLS=""

    if [[ $tls == "1" ]]; then
      sTLS=" -starttls smtp"
    fi
    if [ "$lookuptype" == "FILENAME" ]; then
      expire_date=$($openssl_timeout openssl x509 -in $certfilename$sTLS -noout -dates 2>/dev/null | \
                  awk -F= '/^notAfter/ { print $2; exit }')
    else
      expire_date=$($openssl_timeout openssl s_client -servername $website -connect $website:$port$sTLS </dev/null 2>/dev/null | \
                  openssl x509 -noout -dates 2>/dev/null | \
                  awk -F= '/^notAfter/ { print $2; exit }')
      # echo "Echo : $($openssl_timeout openssl s_client -servername $website -connect $website:$port$sTLS )";
    fi
    if ! [[ -z $expire_date ]]; then # -> found date-process it:
    if [[ $(uname) == "Darwin" ]]
    then
      expire_epoch=$(date -j -f "%b %d %T %Y %Z" "$expire_date" "+%s")
      else
      expire_epoch=$(date +%s -d "$expire_date")

    fi
      # echo "$expire_epoch - $today_epoch"
      timeleft=`expr $expire_epoch - $today_epoch`
      if [[ $timeleft -le $epoch_warning ]]; then #WARN
        expire="1"
      fi
      if [[ $today_epoch -ge $expire_epoch ]]; then #EXPIRE
        expire="2"
      fi
    else
      expire="3"
      expire_date="N/A                     "
    fi
}
output_site() {
    parse_port
    check_expiry
    if [ "$lookuptype" != "FILENAME" ]; then
      display_site="$website:$port$show_tls"
    else
      display_site="$filename$show_tls"
    fi
    if   [[ $expire == "1" ]]; then
      printf "$set_formatting_yellow"  "$display_site" "$expire_date !"  # YELLOW OUTPUT - warning
    elif [[ $expire == "2" ]]; then
      printf "$set_formatting_red"     "$display_site" "$expire_date !!" # RED OUTPUT - expired
    elif [[ $expire == "3" ]]; then
      printf "$set_formatting"         "$display_site" "$expire_date !!!" # NO COLOR - NOT FOUND
    else
      printf "$set_formatting_green"   "$display_site" "$expire_date"    # GREEN OUTPUT
    fi
}

#

client_lookup() {
    lookuptype="WEBSITE"
    if [[ -z $website ]]; then #loop lookup - ask for input
      get_lookup_input
      website=$location
    fi
    set_format
    output_site
    lookuptype=""
    website=""
    echo
}
file_lookup() {
    lookuptype="FILENAME"
    if [[ -z $certfilename ]]; then #loop lookup - ask for input
      get_lookup_input
      certfilename=$location
    fi
    filename=$(basename -- "$certfilename")
    set_format
    output_site
    lookuptype=""
    filename=""
    echo
}
list_lookup() {
    lookuptype="FILELIST"
    file_contents=$(<$sitelist)
    set_format
    while IFS= read -r website; do
      if ! [[ -z $website ]]; then
        output_site
      fi
    done <<<"$file_contents"
    lookuptype=""
    echo
}

#HANDLE ARGUMENTS

while getopts ':hcd:f:s:w:t:' option; do
  case "$option" in
    h) printf "$usage"
       exit 0
       ;;
    c) color="1"
       ;;
    d) is_integer "$OPTARG"
       if [ "$OPTARG" -ge 1 -a "$OPTARG" -le 365 ]; then
         days_to_warn="$OPTARG"
         epoch_warning=$((days_to_warn*epoch_day))
       else
         printf "\nDays must be between 1 and 365\n$usage"
         exit 1
       fi
       ;;
    f) certfilename=$OPTARG
       [[ -r $certfilename ]] && file_lookup || printf "\nFile not found/not readable. Permissions?\n\n"; exit 1;
       exit 0
       ;;
    s) sitelist=$OPTARG
       [[ -r $sitelist ]] && list_lookup || printf "\nFile not found/not readable. Permissions?\n\n"; exit 1;
       exit 0
       ;;
    w) website=$OPTARG
       client_lookup
       exit 0
       ;;
    t) timeout=$OPTARG
       if [[ $(uname) == "Darwin" ]] ;
       then
        openssl_timeout="gtimeout ${timeout}"
       else
        openssl_timeout="timeout ${timeout}";
       fi
       ;;
    :) printf "\nYou specified a flag that needs an argument.\n$usage" 1>&2
       exit 1
       ;;
    *) printf "\nI do not understand '"$1" "$2"'.\n$usage" 1>&2
       exit 1
       ;;
  esac
done
shift $((OPTIND - 1))

#LOOP RUN (default if no flags)

if [ $# -eq 0 ]; then # no command line arguments/flags found
printf "\nNo flags used or available. Interactive mode.\n"
  while :
  do
    menu_input
    if [[ $REPLY == "1" ]]
    then
      file_lookup
    elif [[ $REPLY == "2" ]]
    then
      client_lookup
    else # exit
      [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
    fi
  echo
  done
fi