[转帖]检测证书过期脚本

前提

总是后知后觉，总是后知后觉。目前的现状是不论出现什么问题，都无法进行提前预警和在客户未知前介入处理。早上偶然和研发经理交流时突发灵感，写下此脚本，试图以此为开始进行提前的预警。

从生产k8s集群拿到test.cn的证书，在预发环境做daemon案例。

daemon案例

# pwd
/yufa/zhengshu/test
ll
total 32
-rw-r--r--  1 root  wheel   465B  9  9 09:50 test-ingress.yaml
-rw-r--r--  1 root  wheel   711B  9  9 09:47 test.yaml
-rw-r--r--  1 root  wheel   3.5K  9  9 09:24 tls.crt
-rw-r--r--  1 root  wheel   1.6K  9  9 09:25 tls.key
# kubectl -n test create secret tls test-cn --key ./tls.key --cert ./tls.crt
# cat test.yaml
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: test
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  - name: ajp
    port: 8009
    targetPort: 8009

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:7-alpine
        ports:
        - name: httpd
          containerPort: 8080
        - name: ajp
          containerPort: 8009

# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: test
  annotations:
    kubernets.io/ingress.class: "kong"
spec:
  tls:
  - hosts:
    - "*.test.cn"        #与secret证书的域名需要保持一致
    secretName: test-cn   #secret证书的名称
  rules:
  - host: zisefeizhu.test.cn
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

编写检测域名过期小脚本

话不多说直接怼脚本

# cat check_daemon.sh
#!/bin/bash
source /etc/profile

#定义邮件发送列表
maillist=(
  lixxxxn@rxxxxx.com
  #2xxxxxx860@qq.com
)

#发送邮件函数
send_mail(){
    SUBJECT="$1域名即将到期"
    if [ $2 -ge 0 ];then
        CONTENT="$1:此域名即将到期，剩余时间已不足$2天，请及时续期！"
        for mail in ${maillist[*]};do
            echo -e ""当前检测的域名:" $domain\n "剩余天数: " $days\n ${CONTENT} " | mail -s "${SUBJECT}" $mail
        done
    else
        day=$((-$2))
        CONTENT="$1:此域名已到期，已超出$day天，请及时续费！"
        for mail in ${maillist[*]};do
            echo -e "${CONTENT}" | mail -s "${SUBJECT}" $mail
        done
    fi
}

#检测mails命令是否存在，不存在则安装mail包
is_install_mail()
{
    which mail &> /dev/null
    if [ $? -ne 0 ];then
        yum install -y mail
    fi
}
is_install_mail

#定义需要被检测的域名列表
domainlist=(
   zisefeizhu.test.cn
)

#检测域名到期时间并通知
for domain in ${domainlist[*]};do
   echo "当前检测的域名：" $domain
    #取出域名过期时间
    end_time=$(echo | timeout 1 openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | awk -F '=' '{print $2}' )

    ([ $? -ne 0 ] || [[ $end_time == '' ]]) &&  exit 10
    end_times=`date -d "$end_time" +%s `
    tmp=`date -d today +"%Y-%m-%d %T"`
    current_times=`date -d "$tmp" +"%s"`

    let left_time=$end_times-$current_times
    days=`expr $left_time / 86400`
    echo "剩余天数: " $days

    #转换成时间戳
    end_times=`date -d "$end_time" +%s `
    #以时间戳的形式显示当前时间
    tmp=`date -d today +"%Y-%m-%d %T"`
    current_times=`date -d "$tmp" +"%s"`
    #域名到期剩余天数
    let left_time=$end_times-$current_times
    days=`expr $left_time / 86400`
    echo "剩余天数: " $days
    if [ $days -lt 100 ]; then
         echo "https 证书有效期少于100天，存在风险"
         send_mail $domain $days
    fi
done

发送邮件设置

获取网易云邮箱授权码

配置发送邮箱人信息

安装postfix
# yum -y install postfix
# systemctl enable postfix

设置发送邮箱信息
# vim /etc/mail.rc
......
新增
set from=1xxxxxx91@163.com
set smtp=smtp.163.com
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXUxxxxExxCSQ
set smtp-auth=login

# systemctl start postfix
# echo "test" |mail -s "tesc message" 23xxxxx60@qq.com  
could not connect: 连接超时
"/root/dead.letter" 11/308
. . . message not sent.

超时原因：阿里云服务器关闭了25端口，发送邮件连接不上服务器的缘故，而且官方不允许打开该端口

网易163免费邮箱相关服务器信息：

所以除了换邮箱之外（端口不是25的，要么是国外不好申请，要么收费，摸摸口袋…）

以网易163邮箱为例，使用SSL下的465端口

请求数字证书
# mkdir -p /root/.certs/
# echo -n | openssl s_client -connect smtp.163.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt


修稿邮件发送人设置
# vim /etc/mail.rc
......
改增
set from=1xxxxxx91@163.com
set smtp=smtps://smtp.163.com:465
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXxxxGWRxxxCSQ
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/root/.certs

重启测试
# systemctl restart postfix
# echo "test" |mail -s "title" linkun@xxxxx.com

登陆邮箱验证

emmm。收到是收到了，但有个报错

证书不被信任，且命令行就此卡住，需要按键才能出现命令提示符
# Error in certificate: Peer's certificate issuer is not recognized.

处理此问题
# cd /root/.certs/
# ll 
总用量 80
-rw-r--r-- 1 root root  2415 9月   9 13:31 163.crt
-rw------- 1 root root 65536 9月   9 13:35 cert8.db
-rw------- 1 root root 16384 9月   9 13:35 key3.db
-rw------- 1 root root 16384 9月   9 13:31 secmod.db
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
问题解决

测试daemon案例

执行脚本

sh check_daemon.sh
当前检测的域名： zisefeizhu.test.cn
剩余天数:  73
剩余天数:  73
https 证书有效期少于100天，存在风险

验证

👌！

定时任务

# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
#Timing execution /root/scripts/check_daemon.sh
0 2  *  *  * root  sh /root/scripts/check_daemon.sh