OpenSSL

打印证书内容

 openssl req -noout -text -in csr.pem

lighttpd SSL用证明书

openssl req -new -x509 \

  -keyout server.pem -out server.pem \

  -days 365 -nodes

显示证书有效期

openssl x509 -noout -dates -in ca.pem

生成证书

# openssl req -new -nodes -out req.pem -keyout cert.pem
Generating a 1024 bit RSA private key
................++++++
.......................................++++++
writing new private key to 'cert.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:PA
Locality Name (eg, city) []:Pittsburgh
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Company
Organizational Unit Name (eg, section) []:Systems Administrator
Common Name (eg, YOUR name) []:localhost.example.org
Email Address []:trhodes@FreeBSD.org
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SOME PASSWORD
An optional company name []:Another Name

注意, 在 “Common Name” 提示后面我们输入的是一个域名。

这个提示要求输入服务器的名字, 这个名字今后将用于完成验证过程; 如果在这里输入域名以外的内容, 那么证书也就失去其意义了。

您还可以指定一些其他的选项, 比如证书的有效期, 以及使用的加密算法等等。 这些选项的完整列表, 可以在 openssl(1) 联机手册中找到。

在执行前述命令的目录中将生成两个文件。 证书申请, 即 req.pem, 可以发给一家发证机构, 它将验证您输入的凭据的真实性, 并对申请进行签名, 再把证书返还。

第二个文件的名字将是 cert.pem,它包含了证书的私钥,应被全力保护; 如果它落入别人手中,则可以被用来伪造服务器。

更新公司网站证书

更新VeriSign证书需� ��创建CSR文件,用OpenSSL创建证书

openssl req -new -nodes -keyout server.key -out server.csr
#输入相关信息

查看那系统是否安装了openssl

[root@server1 conf]# rpm -qa|grep openssl
openssl-0.9.7a-2
openssl-devel-0.9.7a-2

生成证书文件 创建一个rsa私钥,文件名为server.key

[root@server1 php-5.0.4]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............++++++
............++++++
e is 65537 (0x10001)

用 server.key 生成证书签署请求 CSR

#openssl req -new -key server.key -out server.csr
Country Name:两个字母的国家代号
State or Province Name:省份名称
Locality Name:城市名称
Organization Name:公司名称
Organizational Unit Name:部门名称
Common Name:你的姓名
Email Address:地址
至于 'extra' attributes 不用输入
生成 server.csr 文件,并放在安全的地方。

生成证书CRT文件server.crt。

openssl x509 -days 365 -req -in server.csr -signkey server.key -out server.crt

将它们copy到apache的conf目录下 为了安全起见,将它们的权限进行修改

chmod 400 server.*

查看虚拟主机设置

[root@server1 conf]# ../bin/apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80          dummy-host.example.com (/usr/local/apache22/conf/extra/httpd-vhosts.conf:27)
*:81          dummy-host2.example.com (/usr/local/apache22/conf/extra/httpd-vhosts.conf:36)
_default_:443          www.example.com (/usr/local/apache22/conf/extra/httpd-ssl.conf:74)
Syntax OK

重启apache

#service httpd restart

查看443端口是否被监听

#netstat -an|grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN

客户端就能使用https来访问了

SSL证书auto check Expires

#!/bin/bash
#
# Program: SSL Certificate Check <ssl-cert-check>
#
# Source code home: http://prefetch.net/code/ssl-cert-check
#
# Author: Matty < matty91 at gmail dot com >
#
# Current Version: 3.20
#
# Revision History:
#
# Version 3.20
#   - Fixed a bug in certificate length checking -- Tim Nowaczyk
#
# Version 3.19
#   - Added check to verify the certificate retrieved is valid
#
# Version 3.18
#   - Add support for connecting to FTP servers -- Paul A Sand
#
# Version 3.17
#   - Add support for connecting to imap servers -- Joerg Pareigis
#
# Version 3.16
#   - Add support for connecting to the mail sbmission port -- Luis E. Munoz
#
# Version 3.15
#   - Adjusted the file checking logic to use the correct certificate -- Maciej Szudejko
#   - Add sbin to the default search paths for OpenBSD compatibility -- Alex Popov
#   - Use cut instead of substring processing to ensure compatibility -- Alex Popov
#
# Version 3.14
#   - Fixed the Common Name parser to handle DN's where the CN is not the last item
#     eg. EmailAddr -- Jason Brothers
#   - Added the ability to grab the serial number -- Jason Brothers
#   - Added the "-b" option to print results without a header -- Jason Brothers
#   - Added the "-v" option for certificate validation -- Jason Brothers
#
# Version 3.13
#   - Updated the subject line to include the hostname as well as
#     the common name embedded in the X509 certificate (if it's
#     available) -- idea proposed by Mike Burns
#
#  Version 3.12
#   - Updated the license to allow redistribution and modification
#
#  Version 3.11
#   - Added ability to comment out lines in files passed
#     to the "-f" option -- Brett Stauner
#   - Fixed comment next to file processing logic
#
#  Version 3.10
#   - Fixed POP3 port -- Simon Matter
#
#  Version 3.9
#    - Switched binary location logic to use which utility
#
#  Version 3.8
#    - Fixed display on 80 column displays
#    - Cleaned up the formatting
#
#  Version 3.7
#    - Fixed bug in NAGIOS tests -- Ben Allen
#
#  Version 3.6
#    - Added support for certificates stored in PKCS#12 databases -- Ken Gallo
#    - Cleaned up comments
#    - Adjusted variables to be more consistent
#
#  Version 3.5
#    - Added support for NAGIOS -- Quanah Gibson-Mount
#    - Added additional checks for mail -- Quanah Gibson-Mount
#    - Convert tabs to spaces -- Quanah Gibson-Mount
#    - Cleaned up usage() routine
#    - Added additional checks for openssl
#
#  Version 3.4
#   - Added a missing "{" to line 364 -- Ken Gallo
#   - Move mktemp to the start of the main body to avoid errors
#   - Adjusted default binary paths to make sure the script just works
#     w/ Solaris, BSD and Linux hosts
#
#  Version 3.3
#   - Added common name from X.509 certificate file to E-mail body / header -- Doug Curtis
#   - Fixed several documentation errors
#   - Use mktemp to create temporary files
#   - Convert printf, sed and awk to variables
#   - Check for printf, sed, awk and mktemp binaries
#   - Add additional logic to make sure mktemp returned a valid temporary file
#
#  Version 3.2
#   - Added option to list certificates in the file passed to "-f".
#
#  Version 3.1
#   - Added handling for starttls for smtp -- Marco Amrein
#   - Added handling for starttls for pop3 (without s) -- Marco Amrein
#   - Removed extra spacing at end of script
#
#  Version 3.0
#   - Added "-i" option to print certificate issuer
#   - Removed $0 from Subject line of outbound e-mails
#   - Fixed some typographical errors
#   - Removed redundant "-b" option
#
#  Version 2.0
#    - Fixed an issue with e-mails formatting incorrectly
#    - Added additional space to host column -- Darren-Perot Spruell
#    - Replaced GNU date dependency with CHRIS F. A. JOHNSON's
#      date2julian shell function. This routine can be found on
#      page 170 of Chris's book "Shell Scripting Recipes: A
#      Problem-Solution Approach," ISBN #1590594711. Julian function
#      was created based on a post to comp.unix.shell by Tapani Tarvainen.
#    - Cleaned up function descriptions
#    - Removed several lines of redundant code
#    - Adjusted the help message
#
#   Version 1.1
#    - Added "-c" flag to report expiration status of a PEM encoded
#      certificate -- Hampus Lundqvist
#    - Updated the prints messages to display the reason a connection
#      failed (connection refused, connection timeout, bad cert, etc)
#    - Updated the GNU date checking routines
#    - Added checks for each binary required
#    - Added checks for connection timeouts
#    - Added checks for GNU date
#    - Added a "-h" option
#    - Cleaned up the documentation
#
#  Version 1.0
#      Initial Release
#
# Last Updated: 11-10-2010
#
# Purpose:
#  ssl-cert-check checks to see if a digital certificate in X.509 format
#  has expired. ssl-cert-check can be run in interactive and batch mode,
#  and provides facilities to alarm if a certificate is about to expire.
#
# License:
#  Copyright (C) 2007 Ryan Matteson <matty91 at gmail dot com>
#  This program is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#  GNU General Public License for more details.
#
# Requirements:
#   Requires openssl
#
# Installation:
#   Copy the shell script to a suitable location
#
# Tested platforms:
#  -- Solaris 9 using /bin/bash
#  -- Solaris 10 using /bin/bash
#  -- OS X 10.4.2 using /bin/sh
#  -- OpenBSD using /bin/sh
#  -- FreeBSD using /bin/sh
#  -- Redhat advanced server 3.0MU3 using /bin/sh
#
# Usage:
#  Refer to the usage() sub-routine, or invoke ssl-cert-check
#  with the "-h" option.
#
# Examples:
#   Please refer to the following site for documentation and
#   examples:
#      http://prefetch.net/articles/checkcertificate.html
#
 
PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sfw/bin ; export PATH
 
# Who to page when an expired certificate is detected (cmdline: -e)
ADMIN="root"
 
# Number of days in the warning threshhold  (cmdline: -x)
WARNDAYS=30
 
# If QUIET is set to TRUE, don't print anything on the console (cmdline: -q)
QUIET="FALSE"
 
# Don't send E-mail by default (cmdline: -a)
ALARM="FALSE"
 
# Don't run as a Nagios plugin by default (cmdline: -n)
NAGIOS="FALSE"
 
# NULL out the PKCSDBPASSWD variable for later use (cmdline: -k)
PKCSDBPASSWD=""
 
# Location of system binaries
AWK=$(which awk)
DATE=$(which date)
GREP=$(which grep)
OPENSSL=$(which openssl)
PRINTF=$(which printf)
SED=$(which sed)
MKTEMP=$(which mktemp)
 
if [ -f /usr/bin/mailx ]
then
    MAIL="/usr/bin/mailx"
else
    MAIL=$(which mail)
fi
 
# Return code used by nagios. Initialize to 0.
RETCODE=0
 
# Set the default umask to be somewhat restrictive
umask 077
 
#############################################################################
# Purpose: Convert a date from MONTH-DAY-YEAR to Julian format
# Acknowledgements: Code was adapted from examples in the book
#                   "Shell Scripting Recipes: A Problem-Solution Approach"
#                   ( ISBN 1590594711 )
# Arguments:
#   $1 -> Month (e.g., 06)
#   $2 -> Day   (e.g., 08)
#   $3 -> Year  (e.g., 2006)
#############################################################################
date2julian() {
 
    if [ "${1} != "" ] && [ "${2} != ""  ] && [ "${3}" != "" ]
    then
        ## Since leap years add aday at the end of February,
        ## calculations are done from 1 March 0000 (a fictional year)
        d2j_tmpmonth=$((12 * ${3} + ${1} - 3))
 
        ## If it is not yet March, the year is changed to the previous year
        d2j_tmpyear=$(( ${d2j_tmpmonth} / 12))
 
        ## The number of days from 1 March 0000 is calculated
        ## and the number of days from 1 Jan. 4713BC is added
        echo $(( (734 * ${d2j_tmpmonth} + 15) / 24
                 - 2 * ${d2j_tmpyear} + ${d2j_tmpyear}/4
                 - ${d2j_tmpyear}/100 + ${d2j_tmpyear}/400 + $2 + 1721119 ))
    else
        echo 0
    fi
}
 
#############################################################################
# Purpose: Convert a string month into an integer representation
# Arguments:
#   $1 -> Month name (e.g., Sep)
#############################################################################
getmonth()
{
    case ${1} in
        Jan) echo 1 ;;
        Feb) echo 2 ;;
        Mar) echo 3 ;;
        Apr) echo 4 ;;
        May) echo 5 ;;
        Jun) echo 6 ;;
        Jul) echo 7 ;;
        Aug) echo 8 ;;
        Sep) echo 9 ;;
        Oct) echo 10 ;;
        Nov) echo 11 ;;
        Dec) echo 12 ;;
          *) echo  0 ;;
    esac
}
 
#############################################################################
# Purpose: Calculate the number of seconds between two dates
# Arguments:
#   $1 -> Date #1
#   $2 -> Date #2
#############################################################################
date_diff()
{
    if [ "${1}" != "" ] &&  [ "${2}" != "" ]
    then
        echo $((${2} - ${1}))
    else
        echo 0
    fi
}
 
#####################################################################
# Purpose: Print a line with the expiraton interval
# Arguments:
#   $1 -> Hostname
#   $2 -> TCP Port
#   $3 -> Status of certification (e.g., expired or valid)
#   $4 -> Date when certificate will expire
#   $5 -> Days left until the certificate will expire
#   $6 -> Issuer of the certificate
#####################################################################
prints()
{
    if [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
    then
        MIN_DATE=$(echo $4 | ${AWK} '{ print $1, $2, $4 }')
        ${PRINTF} "%-35s %-17s %-8s %-11s %-4s %-30s\n" "$1:$2" "$6" "$3" "$MIN_DATE" "$5"
 
    elif [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
    then
        ${PRINTF} "%-35s %-35s %-32s %-17s\n" "$1:$2" "$7" "$8" "$6"
 
    elif [ "${QUIET}" != "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
    then
        MIN_DATE=$(echo $4 | ${AWK} '{ print $1, $2, $4 }')
        ${PRINTF} "%-47s %-12s %-12s %-4s %-30s\n" "$1:$2" "$3" "$MIN_DATE" "$5"
 
    elif [ "${QUIET}" != "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
    then
        ${PRINTF} "%-35s %-35s %-32s\n" "$1:$2" "$7" "$8"
    fi
}
 
 
####################################################
# Purpose: Print a heading with the relevant columns
# Arguments:
#   None
####################################################
print_heading()
{
    if [ "${NOHEADER}" != "TRUE" ]
    then
       if [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
       then
           ${PRINTF} "\n%-35s %-17s %-8s %-11s %-4s\n" "Host" "Issuer" "Status" "Expires" "Days"
           echo "----------------------------------- ----------------- -------- ----------- ----"
 
       elif [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
       then
           ${PRINTF} "\n%-35s %-35s %-32s %-17s\n" "Host" "Common Name" "Serial #" "Issuer"
           echo "----------------------------------- ----------------------------------- -------------------------------- -----------------"
 
       elif [ "${QUIET}" != "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
       then
           ${PRINTF} "\n%-47s %-12s %-12s %-4s\n" "Host" "Status" "Expires" "Days"
           echo "----------------------------------------------- ------------ ------------ ----"
 
       elif [ "${QUIET}" != "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
       then
           ${PRINTF} "\n%-35s %-35s %-32s\n" "Host" "Common Name" "Serial #"
           echo "----------------------------------- ----------------------------------- --------------------------------"
        fi
    fi
}
 
 
##########################################
# Purpose: Describe how the script works
# Arguments:
#   None
##########################################
usage()
{
    echo "Usage: $0 [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]"
    echo "       { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }"
    echo ""
    echo "  -a                : Send a warning message through E-mail"
    echo "  -b                : Will not print header"
    echo "  -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file"
    echo "  -e E-mail address : E-mail address to send expiration notices"
    echo "  -f cert file      : File with a list of FQDNs and ports"
    echo "  -h                : Print this screen"
    echo "  -i                : Print the issuer of the certificate"
    echo "  -k password       : PKCS12 file password"
    echo "  -n                : Run as a Nagios plugin"
    echo "  -p port           : Port to connect to (interactive mode)"
    echo "  -s commmon name   : Server to connect to (interactive mode)"
    echo "  -q                : Don't print anything on the console"
    echo "  -v                : Only print validation data"
    echo "  -x days           : Certificate expiration interval (eg. if cert_date < days)"
    echo ""
}
 
 
##########################################################################
# Purpose: Connect to a server ($1) and port ($2) to see if a certificate
#          has expired
# Arguments:
#   $1 -> Server name
#   $2 -> TCP port to connect to
##########################################################################
check_server_status() {
 
 
 
    if [ "_${2}" = "_smtp" -o "_${2}" = "_25" ]
    then
        TLSFLAG="-starttls smtp"
 
    elif [ "_${2}" = "_ftp" -o "_${2}" = "_21" ]
    then
        TLSFLAG="-starttls ftp"
 
    elif [ "_${2}" = "_pop3" -o "_${2}" = "_110" ]
    then
        TLSFLAG="-starttls pop3"
 
    elif [ "_${2}" = "_imap" -o "_${2}" = "_143" ]
    then
        TLSFLAG="-starttls imap"
 
    elif [ "_${2}" = "_submission" -o "_${2}" = "_587" ]
    then
        TLSFLAG="-starttls smtp -port ${2}"
    else
        TLSFLAG=""
    fi
 
    echo "" | ${OPENSSL} s_client -connect ${1}:${2} ${TLSFLAG} 2> ${ERROR_TMP} 1> ${CERT_TMP}
 
    if ${GREP} -i  "Connection refused" ${ERROR_TMP} > /dev/null
    then
        prints ${1} ${2} "Connection refused" "Unknown"
 
    elif ${GREP} -i "gethostbyname failure" ${ERROR_TMP} > /dev/null
    then
        prints ${1} ${2} "Cannot resolve domain" "Unknown"
 
    elif ${GREP} -i "Operation timed out" ${ERROR_TMP} > /dev/null
    then
        prints ${1} ${2} "Operation timed out" "Unknown"
 
    elif ${GREP} -i "ssl handshake failure" ${ERROR_TMP} > /dev/null
    then
        prints ${1} ${2} "SSL handshake failed" "Unknown"
 
    elif ${GREP} -i "connect: Connection timed out" ${ERROR_TMP} > /dev/null
    then
        prints ${1} ${2} "Connection timed out" "Unknown"
 
    else
        check_file_status ${CERT_TMP} $1 $2
    fi
}
 
#####################################################
### Check the expiration status of a certificate file
### Accepts three parameters:
###  $1 -> certificate file to process
###  $2 -> Server name
###  $3 -> Port number of certificate
#####################################################
check_file_status() {
 
    CERTFILE=${1}
    HOST=${2}
    PORT=${3}
 
    ### Check to make sure the certificate file exists
    if [ ! -r ${CERTFILE} ] || [ -z ${CERTFILE} ]
    then
        echo "ERROR: The file named ${CERTFILE} is unreadable or doesn't exist"
        echo "ERROR: Please check to make sure the certificate for ${HOST}:${PORT} is valid"
        RETCODE=1
        return
    fi
 
    ### Grab the expiration date from the X.509 certificate
    if [ "${PKCSDBPASSWD}" != "" ]
    then
        # Extract the certificate from the PKCS#12 database, and
        # send the informational message to /dev/null
        ${OPENSSL} pkcs12 -nokeys -in ${CERTFILE} \
                  -out ${CERT_TMP} -password pass:${PKCSDBPASSWD} 2> /dev/null
 
        # Extract the expiration date from the certificate
        CERTDATE=$(${OPENSSL} x509 -in ${CERT_TMP} -enddate -noout | \
                 ${SED} 's/notAfter\=//')
 
        # Extract the issuer from the certificate
        CERTISSUER=$(${OPENSSL} x509 -in ${CERT_TMP} -issuer -noout | \
                    ${AWK} 'BEGIN {RS="/" } $0 ~ /^O=/ \
                                  { print substr($0,3,17)}')
 
        ### Grab the common name (CN) from the X.509 certificate
        COMMONNAME=$(${OPENSSL} x509 -in ${CERT_TMP} -subject -noout | \
                   ${SED} -e 's/.*CN=//' | \
                   ${SED} -e 's/\/.*//')
 
    ### Grab the serial number from the X.509 certificate
        SERIAL=$(${OPENSSL} x509 -in ${CERT_TMP} -serial -noout | \
                   ${SED} -e 's/serial=//')
    else
        # Extract the expiration date from the ceriticate
        CERTDATE=$(${OPENSSL} x509 -in ${CERTFILE} -enddate -noout | \
                 ${SED} 's/notAfter\=//')
 
        # Extract the issuer from the certificate
        CERTISSUER=$(${OPENSSL} x509 -in ${CERTFILE} -issuer -noout | \
                   ${AWK} 'BEGIN {RS="/" } $0 ~ /^O=/ { print substr($0,3,17)}')
 
        ### Grab the common name (CN) from the X.509 certificate
        COMMONNAME=$(${OPENSSL} x509 -in ${CERTFILE} -subject -noout | \
                   ${SED} -e 's/.*CN=//' | \
                   ${SED} -e 's/\/.*//')
    ### Grab the serial number from the X.509 certificate
        SERIAL=$(${OPENSSL} x509 -in ${CERTFILE} -serial -noout | \
                   ${SED} -e 's/serial=//')
    fi
 
    ### Split the result into parameters, and pass the relevant pieces to date2julian
    set -- ${CERTDATE}
    MONTH=$(getmonth ${1})
 
    # Convert the date to seconds, and get the diff between NOW and the expiration date
    CERTJULIAN=$(date2julian ${MONTH#0} ${2#0} ${4})
    CERTDIFF=$(date_diff ${NOWJULIAN} ${CERTJULIAN})
 
    if [ ${CERTDIFF} -lt 0 ]
    then
        if [ "${ALARM}" = "TRUE" ]
        then
            echo "The SSL certificate for ${HOST} \"(CN: ${COMMONNAME})\" has expired!" \
                 | ${MAIL} -s "Certificate for ${HOST} \"(CN: ${COMMONNAME})\" has expired!" ${ADMIN}
        fi
 
        prints ${HOST} ${PORT} "Expired" "${CERTDATE}" "${CERTDIFF}" "${CERTISSUER}" "${COMMONNAME}" "${SERIAL}"
        RETCODE=2
 
    elif [ ${CERTDIFF} -lt ${WARNDAYS} ]
    then
        if [ "${ALARM}" = "TRUE" ]
        then
            echo "The SSL certificate for ${HOST} \"(CN: ${COMMONNAME})\" will expire on ${CERTDATE}" \
                 | ${MAIL} -s "Certificate for ${HOST} \"(CN: ${COMMONNAME})\" will expire in ${WARNDAYS}-days or less" ${ADMIN}
        fi
        prints ${HOST} ${PORT} "Expiring" "${CERTDATE}" "${CERTDIFF}" "${CERTISSUER}" "${COMMONNAME}" "${SERIAL}"
        RETCODE=1
 
    else
        prints ${HOST} ${PORT} "Valid" "${CERTDATE}" "${CERTDIFF}" "${CERTISSUER}" "${COMMONNAME}" "${SERIAL}"
        RETCODE=0
    fi
}
 
#################################
### Start of main program
#################################
while getopts abinve:f:c:hk:p:s:qx: option
do
    case "${option}"
    in
        a) ALARM="TRUE";;
        b) NOHEADER="TRUE";;
        c) CERTFILE=${OPTARG};;
        e) ADMIN=${OPTARG};;
        f) SERVERFILE=$OPTARG;;
        h) usage
           exit 1;;
        i) ISSUER="TRUE";;
        k) PKCSDBPASSWD=${OPTARG};;
        n) NAGIOS="TRUE";;
        p) PORT=$OPTARG;;
        s) HOST=$OPTARG;;
        q) QUIET="TRUE";;
        v) VALIDATION="TRUE";;
        x) WARNDAYS=$OPTARG;;
       \?) usage
           exit 1;;
    esac
done
 
### Check to make sure a openssl utility is available
if [ ! -f ${OPENSSL} ]
then
    echo "ERROR: The openssl binary does not exist in ${OPENSSL}."
    echo "FIX: Please modify the \${OPENSSL} variable in the program header."
    exit 1
fi
 
### Check to make sure a date utility is available
if [ ! -f ${DATE} ]
then
    echo "ERROR: The date binary does not exist in ${DATE} ."
    echo "FIX: Please modify the \${DATE} variable in the program header."
    exit 1
fi
 
### Check to make sure a grep utility is available
if [ ! -f ${GREP} ]
then
    echo "ERROR: The grep binary does not exist in ${GREP} ."
    echo "FIX: Please modify the \${GREP} variable in the program header."
    exit 1
fi
 
### Check to make sure the mktemp and printf utilities are available
if [ ! -f ${MKTEMP} ] || [ ! -f ${PRINTF} ]
then
    echo "ERROR: Unable to locate the mktemp or printf binary."
    echo "FIX: Please modify the \${MKTEMP} and \${PRINTF} variables in the program header."
    exit 1
fi
 
### Check to make sure the sed and awk binaries are available
if [ ! -f ${SED} ] || [ ! -f ${AWK} ]
then
    echo "ERROR: Unable to locate the sed or awk binary."
    echo "FIX: Please modify the \${SED} and \${AWK} variables in the program header."
    exit 1
fi
 
### CHeck to make sure a mail client is available it automated notifcations are requested
if [ "${ALARM}" = "TRUE" ] && [ ! -f ${MAIL} ]
then
    echo "ERROR: You enabled automated alerts, but the mail binary could not be found."
    echo "FIX: Please modify the ${MAIL} variable in the program header."
    exit 1
fi
 
# Place to stash temporary files
CERT_TMP=$($MKTEMP  /var/tmp/cert.XXXXXX)
ERROR_TMP=$($MKTEMP /var/tmp/error.XXXXXX)
 
### Baseline the dates so we have something to compare to
MONTH=$(${DATE} "+%m")
DAY=$(${DATE} "+%d")
YEAR=$(${DATE} "+%Y")
NOWJULIAN=$(date2julian ${MONTH#0} ${DAY#0} ${YEAR})
 
### Touch the files prior to using them
if [ ! -z "${CERT_TMP}" ] && [ ! -z "${ERROR_TMP}" ]
then
    touch ${CERT_TMP} ${ERROR_TMP}
else
    echo "ERROR: Problem creating temporary files"
    echo "FIX: Check that mktemp works on your system"
    exit 1
fi
 
### If a HOST and PORT were passed on the cmdline, use those values
if [ "${HOST}" != "" ] && [ "${PORT}" != "" ]
then
    print_heading
    check_server_status "${HOST}" "${PORT}"
 
### If a file is passed to the "-f" option on the command line, check
### each certificate or server / port combination in the file to see if
### they are about to expire
elif [ -f "${SERVERFILE}" ]
then
    print_heading
    while read HOST PORT
    do
        if [ "`echo ${HOST} | cut -c1`" = "#" ]
        then
            :
        elif [ "$PORT" = "FILE" ]
        then
            check_file_status ${HOST} "FILE" "${HOST}"
        else
            check_server_status "${HOST}" "${PORT}"
        fi
 
    done < ${SERVERFILE}
 
### Check to see if the certificate in CERTFILE is about to expire
elif [ "${CERTFILE}" != "" ]
then
    print_heading
    check_file_status ${CERTFILE} "FILE"  "${CERTFILE}"
 
### There was an error, so print a detailed usage message and exit
else
    usage
    exit 1
fi
 
### Remove the temporary files
rm -f ${CERT_TMP} ${ERROR_TMP}
 
### Exit with a success indicator
if [ "${NAGIOS}" = "TRUE" ]; then
    exit $RETCODE
else
    exit 0
fi
/var/lib/openshift/bccd8eac1968476490eaee9ced33c7bf/app-root/runtime/repo/php/data/pages/openssl.txt · 最后更改: 2012/09/07 09:21 (外部编辑)
到顶部
CC Attribution-Noncommercial-Share Alike 3.0 Unported
chimeric.de = chi`s home Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0