LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Certwatch for RHEL (https://www.linuxquestions.org/questions/linux-software-2/certwatch-for-rhel-4175448743/)

lce411 02-05-2013 01:27 PM

Certwatch for RHEL
 
I downloaded and installed crypto-utils via Yum, so that I could use the certwatch aspect of it. The cron job is designed to send an email only if an SSL cert is set to expire, which means I am having a hard time verifying if it was installed and configured correctly, since all my certs are new and current. Does anyone know how to test this, or maybe edit the cronjob so it sends an email even if no certs are set to expire? Below is the cronjob that is automatically created:
Code:

#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using
# certwatch(1).  Set NOCERTWATCH=yes in /etc/sysconfig/httpd
# to disable.  Pass additional options to certwatch in the
# CERTWATCH_OPTS variable; see the man page for details.
#

[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd

# Use configured httpd binary
httpd=${HTTPD-/usr/sbin/httpd}

# Sanity checks
test -z "${NOCERTWATCH}" || exit 0
test -x ${httpd} || exit 0
test -x /usr/bin/certwatch || exit 0
test -r /etc/httpd/conf/httpd.conf || exit 0
test -x /usr/sbin/sendmail || exit 0
test -x /etc/httpd/modules/mod_ssl.so || exit 0
test -x /bin/sort || exit 0

set -o pipefail # pick up exit code of httpd not sort

certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
RETVAL=$?
test $RETVAL -eq 0 || exit 0

for c in $certs; do
  # Check whether a warning message is needed, then issue one if so.
  /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
done

And this is code for monitoring other certs not associated with Apache:
Code:

#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using certwatch(1).
# Based on the certwatch cron script from the CentOS crypto-tools package
#
#
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
INCLUDE_CERTS='/etc/syslog-ng/etc/ca.d/*.pem /opt/syslog-ng/etc/cert.d/*.cert /opt/syslog-ng/etc/key.d/*.key
 
certs=`ls $INCLUDE_CERTS 2>/dev/null`
RETVAL=$?
test $RETVAL -eq 0 || exit 0
 
for c in $certs; do
  # Check whether a warning message is needed, then issue one if so.
  if [[ ! "$c" =~ ca-bundle ]]; then
    /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
  fi
done


unSpawn 02-05-2013 02:26 PM

Quote:

Originally Posted by lce411 (Post 4884975)
Does anyone know how to test this

Something like
Code:

DAYS=256; PEM="/path/to/cert.pem"; certwatch -p $DAYS -q $PEM || echo "$PEM expires in $DAYS days."
(see 'man certwatch'.)

lce411 02-06-2013 10:54 AM

Quote:

Originally Posted by unSpawn (Post 4885004)
Something like
Code:

DAYS=256; PEM="/path/to/cert.pem"; certwatch -p $DAYS -q $PEM || echo "$PEM expires in $DAYS days."
(see 'man certwatch'.)

Do you have any idea if this tool, or more specifically this script, will work with keys? I am ultimately trying to find something to notify me of expiring DNS keys and I assumed this would work. I tried the command you suggested and got no results.

unSpawn 02-06-2013 04:14 PM

Quote:

Originally Posted by lce411 (Post 4885626)
I tried the command you suggested and got no results.

See 'man certwatch' then try w/o "-q"?


Quote:

Originally Posted by lce411 (Post 4885626)
I am ultimately trying to find something to notify me of expiring DNS keys

Then check DNSSEC Checker. You can use it with Nagios too.

lce411 02-07-2013 08:22 AM

Quote:

Originally Posted by unSpawn (Post 4885816)
See 'man certwatch' then try w/o "-q"?



Then check DNSSEC Checker. You can use it with Nagios too.

unSpawn,
Thanks for the help. Do you know of any documentation and/or install docs for DNSSEC checker? We do have Nagios in our environment, so if this tool will monitor DNS key expiration and integrate with Nagios, then it sounds like the way I should go with.

unSpawn 02-07-2013 08:39 AM

Tar balls commonly hold files like README and INSTALL or may even have a doc/ dir.


All times are GMT -5. The time now is 03:47 PM.