diff options
| -rw-r--r-- | check-certificates.sh | 56 |
1 files changed, 45 insertions, 11 deletions
diff --git a/check-certificates.sh b/check-certificates.sh index ba9e326..8835b28 100644 --- a/check-certificates.sh +++ b/check-certificates.sh @@ -1,9 +1,31 @@ #!/bin/env bash +# This script checks the validity of the certificates in the directory +# ${CERTIFICATES_DIR} and renews them if necessary. +# +# It uses the local CA certificate and key to check the validity of the +# certificates in the directory ${CERTIFICATES_DIR}. +# +# The script is intended to be run from a systemd timer every day. + + +# TODO: Configure the following variables from cli arguments +# TODO: Rewrite this shit in Python CERTIFICATES_DIR="/srv/certs/" -LOCAL_CA_CERT="${CERTIFICATES_DIR}/luffy_local_ca/local_ca.cert" +LOCAL_CA_CERT="${CERTIFICATES_DIR}/box.ache.one/local_box_ca.cert" +LOCAL_CA_KEY=$(echo "${LOCAL_CA_CERT}" | sed 's/.cert$/.key/') HAS_RENEW_CERT="" +if [ ! -r "$LOCAL_CA_CERT" ]; then + echo "☠️ Please re-check that local CA cert \"$LOCAL_CA_CERT\" exists" + exit +fi +if [ ! -r "$LOCAL_CA_KEY" ]; then + echo "☠️ Please re-check that local CA key \"$LOCAL_CA_KEY\" exists" + exit +fi + + date echo -e "Checking certificate validity (NotAfter field)\n" @@ -11,9 +33,9 @@ echo -e "Checking certificate validity (NotAfter field)\n" pushd ${CERTIFICATES_DIR} >/dev/null 2>/dev/null for cert in $(find -name "*.cert"); do if openssl x509 -checkend 345600 -noout -in ${cert} > /dev/null; then - echo -e "\t✔️ $(basename ${cert}) will expire in more than 4 days" + echo -e "✔️ $(basename ${cert}) will expire in more than 4 days" else - echo "⚠️ $(basename ${cert}) will expire soon !" + echo -e "❌ $(basename ${cert}) will expire soon !" if [ $(basename "$cert") = $(basename "$LOCAL_CA_CERT") ]; then echo -e "\t⛔ I don't renew local CA certificate" continue @@ -25,20 +47,32 @@ for cert in $(find -name "*.cert"); do echo "Renewing ${cert}" echo "Creating new CSR ($NEW_CSR)" - echo $cert - echo $CERT_KEY - echo $CERT_CONFIG + echo ${cert} + echo ${CERT_KEY} + echo ${CERT_CONFIG} + + # Sign the new signing request + if openssl req -new -key "${CERT_KEY}" -out "${NEW_CSR}" -config "${CERT_CONFIG}"; then + echo "👍 CSR created" + else + echo "❌ Failled to create signing request!" + continue + fi - openssl req -new -key ${CERT_KEY} -out $NEW_CSR -config $CERT_CONFIG echo "Renewing certificate" - openssl x509 -req -CA $LOCAL_CA_CERT -CAkey $LOCAL_CA_KEY -in $NEW_CSR -out $cert -days 10 -CAcreateserial -extensions v3_ext -extfile $CERT_CONFIG -sha256 - HAS_RENEW_CERT="yes" + openssl x509 -req -CA "${LOCAL_CA_CERT}" -CAkey "${LOCAL_CA_KEY}" -in "${NEW_CSR}" -out "${cert}" -days 10 -CAcreateserial -extensions v3_ext -extfile "${CERT_CONFIG}" -sha256 + if [ $? -eq 0 ]; then + HAS_RENEW_CERT="yes" + echo "✔️ Certificate renew" + else + echo "❌ Failled to renew certificate!" + fi fi done echo -e "\nNo more certificate to check" -if [ -z $HAS_RENEW_CERT ]; then - echo "🔃 Reload nginx certificates" +if [ -n "$HAS_RENEW_CERT" ]; then + echo "🔃 Reload nginx configuration (and update certificates)" nginx -s reload fi |