rubysecurity.org

Anecdotes from a Linux Systems Administrator. /root

Home About Books Blog Portfolio Archive
    4 June 2015

    Automated SSL certificate expiration check

    by Alpha01

    It is quite simple to automate checking for near expiring SSL certificates in CentOS. This is accomplished using the certwatch tool. This tool is part of the crypto-utils package.

    yum install crypto-utils
``

Installing `crypto-utils`, will create the following cron job, `/etc/cron.daily/certwatch`. By default the `/etc/cron.daily/certwatch` script only checks for SSL certificates loaded by Apache (`httpd -t -DDUMP_CERTS`). So Apache users don't have to do any additional config changes to in order to  automate the check of near expiring SSL certificates.

Since in https://www.rubysecurity.org I use Nginx as a SSL termination proxy for an Apache backend webapp on a different machine. I had to manually update the `/etc/cron.daily/certwatch` script to point to my SSL certificates directly.

```bash
#certs=`${httpd} ${OPTIONS} -t -DDUMP_CERTS 2>/dev/null | /bin/sort -u`
INCLUDE_CERTS='/etc/nginx/certs/*.crt'
certs=`ls $INCLUDE_CERTS 2>/dev/null`

    Here is an example of an expired SSL certificate alert

    [root@rubyninja certs]# certwatch /etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt
To: root
Subject: The certificate for www.rubysecurity.org has expired

 ################# SSL Certificate Warning ################

  Certificate for hostname 'www.rubysecurity.org', in file (or by nickname):
     /etc/nginx/certs/www.rubysecurity.org_2014/www.rubysecurity.org.crt

  The certificate needs to be renewed; this can be done
  using the 'genkey' program.

  Browsers will not be able to correctly connect to this
  web site using SSL until the certificate is renewed.

 ##########################################################
                                  Generated by certwatch(1)

    certwatch is far from perfect. It doesn’t have any verbose output when doing a check, it solely relies on its exit status to verify if the check was successful. Excerpt from the man page is somewthat appalling.

    DIAGNOSTICS
       The exit code indicates the state of the certificate:

       0
           The certificate is outside its validity period, or approaching expiry

       1
           The certificate is inside its validity period, or could not be parsed
    Tags: [ centos monitoring ]