通过shell可以检测ssh证书过期时间。
关键脚本为:
curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com
[root@aliyun ~]# curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com
* About to connect() to www.baidu.com port 443 (#0)
* Trying 14.215.177.38...
* Connected to www.baidu.com (14.215.177.38) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
* start date: May 09 01:22:02 2019 GMT
* expire date: Jun 25 05:31:02 2020 GMT
* common name: baidu.com
* issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 277
< Content-Type: text/html
< Date: Thu, 05 Dec 2019 15:10:53 GMT
< Etag: "575e1f72-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
<
* Connection #0 to host www.baidu.com left intact
[root@aliyun ~]#
提取主要信息,过期时间
curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com 2>&1|grep “expire date:”|sed ‘s/*\s+expire date:\s+//’
[root@aliyun ~]# curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com 2>&1|grep "expire date:"|sed 's/*\s\+expire date:\s\+//'
Jun 25 05:31:02 2020 GMT
[root@aliyun ~]#
整合代码
#!/bin/bash
# author: licess
# website: https://lnmp.org
CheckDomains="example.com abc.com"
Alert_Email=""
Alert_Days="10"
Cur_Dir=$(dirname $0)
Check()
{
Cur_Time=$(date +%s)
Expire_Date=$(curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://${Domain} 2>&1|grep "expire date:"|sed 's/*\s\+expire date:\s\+//')
Expire_Time=$(date -d "${Expire_Date}" +%s)
Alert_Time=$((${Expire_Time}-${Alert_Days}*86400))
Expire_Date_Read=$(date -d @${Expire_Time} "+%Y-%m-%d")
echo "Domain:${Domain} Expire Date: ${Expire_Date_Read}"
if [ ${Cur_Time} -ge ${Alert_Time} ] && [ ${Alert_Email} != "" ] ; then
python ${Cur_Dir}/sendmail.py "${Alert_Email}" "Domain: ${Domain} SSL Certificate Expire Notice" "Domain: ${Domain} SSL Certificate will expire on ${Expire_Date_Read}."
fi
sleep 2
}
for Domain in ${CheckDomains[@]};do
Check ${Domain}
done
调用python发送邮件
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import sys, smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText
mailTo = sys.argv[1]
mailSubject = sys.argv[2]
mailBodyText = sys.argv[3]
mailServer = 'smtp.163.com'
mailServerPort = '465'
mailFrom = '[email protected]'
mailPassword = 'xxxxx'
mailAlias = 'Monitor'
#you can get smtp server and port from https://bbs.vpser.net/thread-13394-1-1.html
print mailTo
print mailSubject
print mailBodyText
msg = MIMEText(mailBodyText, 'plain', 'utf-8')
msg['To'] = mailTo
msg['From'] = '%s <%s>' % (mailAlias, mailFrom)
msg['Subject'] = mailSubject
session = smtplib.SMTP_SSL(mailServer,mailServerPort)
#session = smtplib.SMTP(mailServer,mailServerPort)
#session.set_debuglevel(1)
session.login(mailFrom, mailPassword)
smtpResult = session.sendmail(mailFrom, mailTo, msg.as_string())
session.quit()
if smtpResult:
errstr = ""
for recip in smtpResult.keys():
errstr = """Could not delivery mail to: %s
Server said: %s
%s
%s""" % (recip, smtpResult[recip][0], smtpResult[recip][1], errstr)
#raise smtplib.SMTPException, errstr
print errstr
else:
print 'Message sent successfully.'
ssl_check.sh 中 CheckDomains 为域名列表,每个域名空格分开,Alert_Email 为提醒邮箱,不填的话不邮件提醒,Alert_Days 为提前多少天提醒。
sendmail.py 中 mailServer 填写你邮箱smtp服务器的地址,mailServerPort 填写smtp服务器端口,mailFrom 填写邮箱,mailPassword 填写邮箱密码。因为目前很多VPS服务商都将25端口封了所有默认使用SSL协议发送,具体各个邮件服务商的smtp服务器地址、端口信息可以通过 常见邮件服务商SMTP服务器端口查询 这里进行查询。
设置好前面的信息可以 /root/ssl_check.sh 执行一下试试,看能不能正常获取到期时间。
没有问题的话可以在crontab中添加上 0 5 * * * /root/ssl_check.sh 这样每天凌晨5点会检查一次。
