通過shell可以檢測ssh證書過期時間。
關鍵腳本爲:
curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com
[root@aliyun ~]# curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com
* About to connect() to www.baidu.com port 443 (#0)
* Trying 14.215.177.38...
* Connected to www.baidu.com (14.215.177.38) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",OU=service operation department,L=beijing,ST=beijing,C=CN
* start date: May 09 01:22:02 2019 GMT
* expire date: Jun 25 05:31:02 2020 GMT
* common name: baidu.com
* issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 277
< Content-Type: text/html
< Date: Thu, 05 Dec 2019 15:10:53 GMT
< Etag: "575e1f72-115"
< Last-Modified: Mon, 13 Jun 2016 02:50:26 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
<
* Connection #0 to host www.baidu.com left intact
[root@aliyun ~]#
提取主要信息,過期時間
curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com 2>&1|grep “expire date:”|sed ‘s/*\s+expire date:\s+//’
[root@aliyun ~]# curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://www.baidu.com 2>&1|grep "expire date:"|sed 's/*\s\+expire date:\s\+//'
Jun 25 05:31:02 2020 GMT
[root@aliyun ~]#
整合代碼
#!/bin/bash
# author: licess
# website: https://lnmp.org
CheckDomains="example.com abc.com"
Alert_Email=""
Alert_Days="10"
Cur_Dir=$(dirname $0)
Check()
{
Cur_Time=$(date +%s)
Expire_Date=$(curl -o /dev/null -m 10 --connect-timeout 10 -svIL https://${Domain} 2>&1|grep "expire date:"|sed 's/*\s\+expire date:\s\+//')
Expire_Time=$(date -d "${Expire_Date}" +%s)
Alert_Time=$((${Expire_Time}-${Alert_Days}*86400))
Expire_Date_Read=$(date -d @${Expire_Time} "+%Y-%m-%d")
echo "Domain:${Domain} Expire Date: ${Expire_Date_Read}"
if [ ${Cur_Time} -ge ${Alert_Time} ] && [ ${Alert_Email} != "" ] ; then
python ${Cur_Dir}/sendmail.py "${Alert_Email}" "Domain: ${Domain} SSL Certificate Expire Notice" "Domain: ${Domain} SSL Certificate will expire on ${Expire_Date_Read}."
fi
sleep 2
}
for Domain in ${CheckDomains[@]};do
Check ${Domain}
done
調用python發送郵件
#! /usr/bin/env python
# -*- coding: utf-8 -*-
import sys, smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText
mailTo = sys.argv[1]
mailSubject = sys.argv[2]
mailBodyText = sys.argv[3]
mailServer = 'smtp.163.com'
mailServerPort = '465'
mailFrom = '[email protected]'
mailPassword = 'xxxxx'
mailAlias = 'Monitor'
#you can get smtp server and port from https://bbs.vpser.net/thread-13394-1-1.html
print mailTo
print mailSubject
print mailBodyText
msg = MIMEText(mailBodyText, 'plain', 'utf-8')
msg['To'] = mailTo
msg['From'] = '%s <%s>' % (mailAlias, mailFrom)
msg['Subject'] = mailSubject
session = smtplib.SMTP_SSL(mailServer,mailServerPort)
#session = smtplib.SMTP(mailServer,mailServerPort)
#session.set_debuglevel(1)
session.login(mailFrom, mailPassword)
smtpResult = session.sendmail(mailFrom, mailTo, msg.as_string())
session.quit()
if smtpResult:
errstr = ""
for recip in smtpResult.keys():
errstr = """Could not delivery mail to: %s
Server said: %s
%s
%s""" % (recip, smtpResult[recip][0], smtpResult[recip][1], errstr)
#raise smtplib.SMTPException, errstr
print errstr
else:
print 'Message sent successfully.'
ssl_check.sh 中 CheckDomains 爲域名列表,每個域名空格分開,Alert_Email 爲提醒郵箱,不填的話不郵件提醒,Alert_Days 爲提前多少天提醒。
sendmail.py 中 mailServer 填寫你郵箱smtp服務器的地址,mailServerPort 填寫smtp服務器端口,mailFrom 填寫郵箱,mailPassword 填寫郵箱密碼。因爲目前很多VPS服務商都將25端口封了所有默認使用SSL協議發送,具體各個郵件服務商的smtp服務器地址、端口信息可以通過 常見郵件服務商SMTP服務器端口查詢 這裏進行查詢。
設置好前面的信息可以 /root/ssl_check.sh 執行一下試試,看能不能正常獲取到期時間。
沒有問題的話可以在crontab中添加上 0 5 * * * /root/ssl_check.sh 這樣每天凌晨5點會檢查一次。
