I downloaded and installed crypto-utils via Yum, so that I could use the certwatch aspect of it. The cron job is designed to send an email only if an SSL cert is set to expire, which means I am having a hard time verifying if it was installed and configured correctly, since all my certs are new and current. Does anyone know how to test this, or maybe edit the cronjob so it sends an email even if no certs are set to expire? Below is the cronjob that is automatically created:
Code:
#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using
# certwatch(1). Set NOCERTWATCH=yes in /etc/sysconfig/httpd
# to disable. Pass additional options to certwatch in the
# CERTWATCH_OPTS variable; see the man page for details.
#
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
# Use configured httpd binary
httpd=${HTTPD-/usr/sbin/httpd}
# Sanity checks
test -z "${NOCERTWATCH}" || exit 0
test -x ${httpd} || exit 0
test -x /usr/bin/certwatch || exit 0
test -r /etc/httpd/conf/httpd.conf || exit 0
test -x /usr/sbin/sendmail || exit 0
test -x /etc/httpd/modules/mod_ssl.so || exit 0
test -x /bin/sort || exit 0
set -o pipefail # pick up exit code of httpd not sort
certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
RETVAL=$?
test $RETVAL -eq 0 || exit 0
for c in $certs; do
# Check whether a warning message is needed, then issue one if so.
/usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
/usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
done
And this is code for monitoring other certs not associated with Apache:
Code:
#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using certwatch(1).
# Based on the certwatch cron script from the CentOS crypto-tools package
#
#
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
INCLUDE_CERTS='/etc/syslog-ng/etc/ca.d/*.pem /opt/syslog-ng/etc/cert.d/*.cert /opt/syslog-ng/etc/key.d/*.key
certs=`ls $INCLUDE_CERTS 2>/dev/null`
RETVAL=$?
test $RETVAL -eq 0 || exit 0
for c in $certs; do
# Check whether a warning message is needed, then issue one if so.
if [[ ! "$c" =~ ca-bundle ]]; then
/usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
/usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
fi
done