Pages

2013年10月4日

【iPhone】Push通知証明書の期限切れ確認



期限切れのAPNs用pemファイルを更新し忘れました。

ので、今回はチェック用のcronを回すように設定。



SSLの証明書はopensslコマンドで有効期限を確認出来ます。
この有効期限を30日前になったらメールで通知してくれるように設定しました。


確認コマンドは下記サイトからコピーしてきました。
リンクを貼ろうと思ったのですが、
ブログを書いている時はサーバダウンしてました。

https://raim.codingfarm.de/blog/2013/03/07/checking-expiry-dates-of-local-and-remote-ssl-certificates/


下にコマンドをコピーしておきますので、
ssl-cert-checkと名付けて、実行権限を付けて保存して下さい。


保存したら、Jenkinsに、
/usr/local/share/ssl-cert-checker 30 "/path/to/certificate/"*.pem
のシェルを実行と設定。
crontabへ設定してもいいです。

これを1日に1回実行するように設定して下さい。
もし、cronで設定する場合には、MAILTO=を設定して下さい。

これで、Jenkinsのエラーと共に、
Push通知の更新期限が迫っている通知も飛んでくるようになりました。

#!/usr/bin/env bash
# vim: set fenc=utf-8:

# Copyright (c) 2013, Rainer Müller <raimue@codingfarm.de>
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice, this
#    list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright notice,
#    this list of conditions and the following disclaimer in the documentation
#    and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

# Version 2013-03-07
# http://raim.codingfarm.de/blog/2013/03/07/checking-expiry-dates-of-local-and-remote-ssl-certificates/

#### Usage ####
#
# ./ssl-cert-check <days> <certspec1,certspec2,...>
#
# This tool will warn you if any of the specified certificates expires in the
# next <days> days.
#
# The first parameter is the number of days to warn in advance for expiring
# certificates. All following parameters are treated as certificate
# specifications and can be in one of the following formats:
#
#     - An absolute path to a x509 PEM certificate file
#       For example:
#         /etc/apache2/ssl/example.org.pem
#
#     - A file://<path> URI
#       For example:
#         file:///etc/apache2/ssl/example.org.pem
#
#     - A ssl://<host>:<port> URI
#       For example:
#         ssl://example.org:443
#
#     - A <proto>://<host>[:<port>] URI, this is the same as ssl://<host>:<proto>.
#       The real port number is usually looked up in /etc/services, note that
#       you often need the one with the 's' suffix, like "https", "imaps", etc.
#       For example:
#         https://example.org
#         imaps://example.org    (same as ssl://example.org:993)
#
#     - A <proto>+starttls://<host>[:<port>] URI
#       Use the STARTTLS command to start a in-protocol TLS session after
#       opening an unencrypted connection. The openssl s_client needs to
#       support this protocol. At time of this writing, the supported protocols
#       are "smtp", "pop3", "imap", "ftp" and "xmpp".
#       For example:
#         imap+starttls://example.org
#         smtp+starttls://example.org:587
#
# Example for your crontab:
#   MAILTO=root
#   6       6    * * *   nobody /usr/local/bin/ssl-cert-check 30 /etc/apache2/ssl/*.crt /etc/ssl/certs/dovecot.pem https://localhost ssl://localhost:465 smtp+startssl://localhost:587
#
#### #### ####

# First parameter specifies if certificate expire in the next X days
DAYS=$1
shift

if [[ ! $DAYS =~ ^[0-9]+$ ]]; then
    echo "Error: missing parameter <days> or invalid number" >&2
    exit 3
fi

if [ $BASH_VERSINFO -lt 4 ]; then
    echo "Error: this script requires bash >= 4.0" >&2
    exit 3
fi

# We need extended globbing
shopt -s extglob

exitcode=0

for cert in "$@"; do
    enddate=""

    # For ease of use, map any absolute path name to a file:// URL
    if [[ $cert =~ ^/(.*)$ ]]; then
        cert=file://$cert
    fi

    # Split URI into protocol and target
    if [[ $cert =~ ^(.*)://(.*)$ ]]; then
        proto=${BASH_REMATCH[1]}
        target=${BASH_REMATCH[2]}
    else
        echo "Error: invalid certificate specification: $cert" >&2
        if [ $exitcode -lt 2 ]; then
            exitcode=2
        fi
        continue
    fi

    port=""
    extra=""
    case $proto in
        file)
            enddate=$(openssl x509 -checkend $(( 86400 * $DAYS )) -enddate -in "$target")
            ;;
        !(ssl))
            # Handle special protocol definition for STARTTLS
            if [[ $proto =~ ^(.*)\+starttls$ ]]; then
                proto=${BASH_REMATCH[1]}
                extra="-starttls $proto"
            fi

            # If no port was given, use the default for this protocol
            if [[ ! $target =~ :[0-9]+$ ]]; then
                target+=:$proto
            fi

            # (intentional fallthrough)
            ;&
        ssl)
            # Retrieve certificate
            certificate=$(echo | openssl s_client -connect "$target" $extra 2>/dev/null \
                | sed -n -e '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
                    -e '/-----END CERTIFICATE-----/q')
            if [ "$certificate" == "" ]; then
                echo "Error: unable to check $cert" >&2
                if [ $exitcode -lt 2 ]; then
                    exitcode=2
                fi
                continue
            else
                # Extract notAfter date of validity
                enddate=$(echo "$certificate" | openssl x509 -checkend $(( 86400 * $DAYS )) -enddate)
            fi
            ;;
    esac

    if [[ $enddate =~ (.*)Certificate\ will\ expire ]]; then
        echo    "==> Certificate $cert is about to expire soon:"
        echo -n "    ${BASH_REMATCH[1]}"
        if [ $exitcode -lt 1 ]; then
            exitcode=1
        fi
    fi
done

exit $exitcode

0 件のコメント:

コメントを投稿