LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-05-2013, 01:27 PM   #1
lce411
Member
 
Registered: Jul 2012
Posts: 50

Rep: Reputation: Disabled
Certwatch for RHEL


I downloaded and installed crypto-utils via Yum, so that I could use the certwatch aspect of it. The cron job is designed to send an email only if an SSL cert is set to expire, which means I am having a hard time verifying if it was installed and configured correctly, since all my certs are new and current. Does anyone know how to test this, or maybe edit the cronjob so it sends an email even if no certs are set to expire? Below is the cronjob that is automatically created:
Code:
#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using
# certwatch(1).  Set NOCERTWATCH=yes in /etc/sysconfig/httpd
# to disable.  Pass additional options to certwatch in the
# CERTWATCH_OPTS variable; see the man page for details.
#

[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd

# Use configured httpd binary
httpd=${HTTPD-/usr/sbin/httpd}

# Sanity checks
test -z "${NOCERTWATCH}" || exit 0
test -x ${httpd} || exit 0
test -x /usr/bin/certwatch || exit 0
test -r /etc/httpd/conf/httpd.conf || exit 0
test -x /usr/sbin/sendmail || exit 0
test -x /etc/httpd/modules/mod_ssl.so || exit 0
test -x /bin/sort || exit 0

set -o pipefail # pick up exit code of httpd not sort

certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
RETVAL=$?
test $RETVAL -eq 0 || exit 0

for c in $certs; do
  # Check whether a warning message is needed, then issue one if so.
  /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
done
And this is code for monitoring other certs not associated with Apache:
Code:
#!/bin/bash
#
# Issue warning e-mails if SSL certificates expire, using certwatch(1). 
# Based on the certwatch cron script from the CentOS crypto-tools package
#
#
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
INCLUDE_CERTS='/etc/syslog-ng/etc/ca.d/*.pem /opt/syslog-ng/etc/cert.d/*.cert /opt/syslog-ng/etc/key.d/*.key
 
certs=`ls $INCLUDE_CERTS 2>/dev/null`
RETVAL=$?
test $RETVAL -eq 0 || exit 0
 
for c in $certs; do
  # Check whether a warning message is needed, then issue one if so.
  if [[ ! "$c" =~ ca-bundle ]]; then
    /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
  fi
done
 
Old 02-05-2013, 02:26 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by lce411 View Post
Does anyone know how to test this
Something like
Code:
DAYS=256; PEM="/path/to/cert.pem"; certwatch -p $DAYS -q $PEM || echo "$PEM expires in $DAYS days."
(see 'man certwatch'.)
 
Old 02-06-2013, 10:54 AM   #3
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
Something like
Code:
DAYS=256; PEM="/path/to/cert.pem"; certwatch -p $DAYS -q $PEM || echo "$PEM expires in $DAYS days."
(see 'man certwatch'.)
Do you have any idea if this tool, or more specifically this script, will work with keys? I am ultimately trying to find something to notify me of expiring DNS keys and I assumed this would work. I tried the command you suggested and got no results.
 
Old 02-06-2013, 04:14 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Quote:
Originally Posted by lce411 View Post
I tried the command you suggested and got no results.
See 'man certwatch' then try w/o "-q"?


Quote:
Originally Posted by lce411 View Post
I am ultimately trying to find something to notify me of expiring DNS keys
Then check DNSSEC Checker. You can use it with Nagios too.
 
Old 02-07-2013, 08:22 AM   #5
lce411
Member
 
Registered: Jul 2012
Posts: 50

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
See 'man certwatch' then try w/o "-q"?



Then check DNSSEC Checker. You can use it with Nagios too.
unSpawn,
Thanks for the help. Do you know of any documentation and/or install docs for DNSSEC checker? We do have Nagios in our environment, so if this tool will monitor DNS key expiration and integrate with Nagios, then it sounds like the way I should go with.
 
Old 02-07-2013, 08:39 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592Reputation: 3592
Tar balls commonly hold files like README and INSTALL or may even have a doc/ dir.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Upgrade to RHEL 5.3 from RHEL 4.4 only using the kernel rpm of RHEL 5.3 rhystech Red Hat 4 05-28-2012 10:01 PM
[SOLVED] file-5.05 breaking certwatch on current ulyx Slackware 1 02-10-2011 12:37 PM
upgrade RHEL 4.3 to RHEL 4.8 to fix CIFS bug - best practice? jaredk51 Linux - Enterprise 6 04-19-2010 05:35 AM
SELinux is preventing certwatch (certwatch_t) "write" to ./cache CZTY Linux - Software 3 09-12-2009 01:57 AM
Login problems with XDMCP from a pre-RHEL-4 client to a RHEL-4 server running KDE cspao Red Hat 0 07-21-2006 06:30 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration