Certwatch for RHEL

lce411 · 02-05-2013, 01:27 PM

I downloaded and installed crypto-utils via Yum, so that I could use the certwatch aspect of it. The cron job is designed to send an email only if an SSL cert is set to expire, which means I am having a hard time verifying if it was installed and configured correctly, since all my certs are new and current. Does anyone know how to test this, or maybe edit the cronjob so it sends an email even if no certs are set to expire? Below is the cronjob that is automatically created:

Code:

#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using
# certwatch(1).  Set NOCERTWATCH=yes in /etc/sysconfig/httpd
# to disable.  Pass additional options to certwatch in the
# CERTWATCH_OPTS variable; see the man page for details.
#

[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd

# Use configured httpd binary
httpd=${HTTPD-/usr/sbin/httpd}

# Sanity checks
test -z "${NOCERTWATCH}" || exit 0
test -x ${httpd} || exit 0
test -x /usr/bin/certwatch || exit 0
test -r /etc/httpd/conf/httpd.conf || exit 0
test -x /usr/sbin/sendmail || exit 0
test -x /etc/httpd/modules/mod_ssl.so || exit 0
test -x /bin/sort || exit 0

set -o pipefail # pick up exit code of httpd not sort

certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
RETVAL=$?
test $RETVAL -eq 0 || exit 0

for c in $certs; do
  # Check whether a warning message is needed, then issue one if so.
  /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
done

And this is code for monitoring other certs not associated with Apache:

Code:

#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using certwatch(1). 
# Based on the certwatch cron script from the CentOS crypto-tools package
#
#
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
INCLUDE_CERTS='/etc/syslog-ng/etc/ca.d/*.pem /opt/syslog-ng/etc/cert.d/*.cert /opt/syslog-ng/etc/key.d/*.key
 
certs=`ls $INCLUDE_CERTS 2>/dev/null`
RETVAL=$?
test $RETVAL -eq 0 || exit 0
 
for c in $certs; do
  # Check whether a warning message is needed, then issue one if so.
  if [[ ! "$c" =~ ca-bundle ]]; then
    /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
  fi
done

unSpawn · 02-05-2013, 02:26 PM

Quote:

Originally Posted by lce411

Does anyone know how to test this

Something like

Code:

DAYS=256; PEM="/path/to/cert.pem"; certwatch -p $DAYS -q $PEM || echo "$PEM expires in $DAYS days."

(see 'man certwatch'.)

lce411 · 02-06-2013, 10:54 AM

Quote:

Originally Posted by unSpawn

Something like

Code:

DAYS=256; PEM="/path/to/cert.pem"; certwatch -p $DAYS -q $PEM || echo "$PEM expires in $DAYS days."

(see 'man certwatch'.)

Do you have any idea if this tool, or more specifically this script, will work with keys? I am ultimately trying to find something to notify me of expiring DNS keys and I assumed this would work. I tried the command you suggested and got no results.

unSpawn · 02-06-2013, 04:14 PM

Quote:

Originally Posted by lce411

I tried the command you suggested and got no results.

See 'man certwatch' then try w/o "-q"?

Quote:

Originally Posted by lce411

I am ultimately trying to find something to notify me of expiring DNS keys

Then check DNSSEC Checker. You can use it with Nagios too.

lce411 · 02-07-2013, 08:22 AM

Quote:

Originally Posted by unSpawn

See 'man certwatch' then try w/o "-q"?

Then check DNSSEC Checker. You can use it with Nagios too.

unSpawn,
Thanks for the help. Do you know of any documentation and/or install docs for DNSSEC checker? We do have Nagios in our environment, so if this tool will monitor DNS key expiration and integrate with Nagios, then it sounds like the way I should go with.

unSpawn · 02-07-2013, 08:39 AM

Tar balls commonly hold files like README and INSTALL or may even have a doc/ dir.