检测证书过期脚本
前提
总是后知后觉,总是后知后觉。目前的现状是不论出现什么问题,都无法进行提前预警和在客户未知前介入处理。早上偶然和研发经理交流时突发灵感,写下此脚本,试图以此为开始进行提前的预警。
从生产k8s集群拿到test.cn的证书,在预发环境做daemon案例。
daemon案例
# pwd
/yufa/zhengshu/test
ll
total 32
-rw-r--r-- 1 root wheel 465B 9 9 09:50 test-ingress.yaml
-rw-r--r-- 1 root wheel 711B 9 9 09:47 test.yaml
-rw-r--r-- 1 root wheel 3.5K 9 9 09:24 tls.crt
-rw-r--r-- 1 root wheel 1.6K 9 9 09:25 tls.key
# kubectl -n test create secret tls test-cn --key ./tls.key --cert ./tls.crt
# cat test.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: test
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
port: 8080
targetPort: 8080
- name: ajp
port: 8009
targetPort: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: test
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:7-alpine
ports:
- name: httpd
containerPort: 8080
- name: ajp
containerPort: 8009
# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: test
annotations:
kubernets.io/ingress.class: "kong"
spec:
tls:
- hosts:
- "*.test.cn" #与secret证书的域名需要保持一致
secretName: test-cn #secret证书的名称
rules:
- host: zisefeizhu.test.cn
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
编写检测域名过期小脚本
话不多说直接怼脚本
# cat check_daemon.sh
#!/bin/bash
source /etc/profile
#定义邮件发送列表
maillist=(
lixxxxn@rxxxxx.com
#2xxxxxx860@qq.com
)
#发送邮件函数
send_mail(){
SUBJECT="$1域名即将到期"
if [ $2 -ge 0 ];then
CONTENT="$1:此域名即将到期,剩余时间已不足$2天,请及时续期!"
for mail in ${maillist[*]};do
echo -e ""当前检测的域名:" $domain\n "剩余天数: " $days\n ${CONTENT} " | mail -s "${SUBJECT}" $mail
done
else
day=$((-$2))
CONTENT="$1:此域名已到期,已超出$day天,请及时续费!"
for mail in ${maillist[*]};do
echo -e "${CONTENT}" | mail -s "${SUBJECT}" $mail
done
fi
}
#检测mails命令是否存在,不存在则安装mail包
is_install_mail()
{
which mail &> /dev/null
if [ $? -ne 0 ];then
yum install -y mail
fi
}
is_install_mail
#定义需要被检测的域名列表
domainlist=(
zisefeizhu.test.cn
)
#检测域名到期时间并通知
for domain in ${domainlist[*]};do
echo "当前检测的域名:" $domain
#取出域名过期时间
end_time=$(echo | timeout 1 openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | awk -F '=' '{print $2}' )
([ $? -ne 0 ] || [[ $end_time == '' ]]) && exit 10
end_times=`date -d "$end_time" +%s `
tmp=`date -d today +"%Y-%m-%d %T"`
current_times=`date -d "$tmp" +"%s"`
let left_time=$end_times-$current_times
days=`expr $left_time / 86400`
echo "剩余天数: " $days
#转换成时间戳
end_times=`date -d "$end_time" +%s `
#以时间戳的形式显示当前时间
tmp=`date -d today +"%Y-%m-%d %T"`
current_times=`date -d "$tmp" +"%s"`
#域名到期剩余天数
let left_time=$end_times-$current_times
days=`expr $left_time / 86400`
echo "剩余天数: " $days
if [ $days -lt 100 ]; then
echo "https 证书有效期少于100天,存在风险"
send_mail $domain $days
fi
done
发送邮件设置
获取网易云邮箱授权码
配置发送邮箱人信息
安装postfix
# yum -y install postfix
# systemctl enable postfix
设置发送邮箱信息
# vim /etc/mail.rc
......
新增
set from=1xxxxxx91@163.com
set smtp=smtp.163.com
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXUxxxxExxCSQ
set smtp-auth=login
# systemctl start postfix
# echo "test" |mail -s "tesc message" 23xxxxx60@qq.com
could not connect: 连接超时
"/root/dead.letter" 11/308
. . . message not sent.
超时原因:阿里云服务器关闭了25端口,发送邮件连接不上服务器的缘故,而且官方不允许打开该端口
网易163免费邮箱相关服务器信息:
所以除了换邮箱之外(端口不是25的,要么是国外不好申请,要么收费,摸摸口袋…)
以网易163邮箱为例,使用SSL下的465端口
请求数字证书
# mkdir -p /root/.certs/
# echo -n | openssl s_client -connect smtp.163.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
修稿邮件发送人设置
# vim /etc/mail.rc
......
改增
set from=1xxxxxx91@163.com
set smtp=smtps://smtp.163.com:465
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXxxxGWRxxxCSQ
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/root/.certs
重启测试
# systemctl restart postfix
# echo "test" |mail -s "title" linkun@xxxxx.com
登陆邮箱验证
emmm。收到是收到了,但有个报错
证书不被信任,且命令行就此卡住,需要按键才能出现命令提示符
# Error in certificate: Peer's certificate issuer is not recognized.
处理此问题
# cd /root/.certs/
# ll
总用量 80
-rw-r--r-- 1 root root 2415 9月 9 13:31 163.crt
-rw------- 1 root root 65536 9月 9 13:35 cert8.db
-rw------- 1 root root 16384 9月 9 13:35 key3.db
-rw------- 1 root root 16384 9月 9 13:31 secmod.db
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
问题解决
测试daemon案例
执行脚本
sh check_daemon.sh
当前检测的域名: zisefeizhu.test.cn
剩余天数: 73
剩余天数: 73
https 证书有效期少于100天,存在风险
验证
👌!
定时任务
# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
#Timing execution /root/scripts/check_daemon.sh
0 2 * * * root sh /root/scripts/check_daemon.sh
过手如登山,一步一重天