檢測證書過期腳本

前提

總是後知後覺，總是後知後覺。目前的現狀是不論出現什麼問題，都無法進行提前預警和在客戶未知前介入處理。早上偶然和研發經理交流時突發靈感，寫下此腳本，試圖以此為開始進行提前的預警。

從生産k8s叢集拿到test.cn的證書，在預發環境做daemon案例。

daemon案例

# pwd
/yufa/zhengshu/test
ll
total 32
-rw-r--r--  1 root  wheel   465B  9  9 09:50 test-ingress.yaml
-rw-r--r--  1 root  wheel   711B  9  9 09:47 test.yaml
-rw-r--r--  1 root  wheel   3.5K  9  9 09:24 tls.crt
-rw-r--r--  1 root  wheel   1.6K  9  9 09:25 tls.key
# kubectl -n test create secret tls test-cn --key ./tls.key --cert ./tls.crt
# cat test.yaml
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: test
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  - name: ajp
    port: 8009
    targetPort: 8009

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:7-alpine
        ports:
        - name: httpd
          containerPort: 8080
        - name: ajp
          containerPort: 8009

# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: test
  annotations:
    kubernets.io/ingress.class: "kong"
spec:
  tls:
  - hosts:
    - "*.test.cn"        #與secret證書的域名需要保持一緻
    secretName: test-cn   #secret證書的名稱
  rules:
  - host: zisefeizhu.test.cn
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080
           

編寫檢測域名過期小腳本

話不多說直接怼腳本

# cat check_daemon.sh
#!/bin/bash
source /etc/profile

#定義郵件發送清單
maillist=(
  [email protected]
  #[email protected]
)

#發送郵件函數
send_mail(){
    SUBJECT="$1域名即将到期"
    if [ $2 -ge 0 ];then
        CONTENT="$1:此域名即将到期，剩餘時間已不足$2天，請及時續期！"
        for mail in ${maillist[*]};do
            echo -e ""目前檢測的域名:" $domain\n "剩餘天數: " $days\n ${CONTENT} " | mail -s "${SUBJECT}" $mail
        done
    else
        day=$((-$2))
        CONTENT="$1:此域名已到期，已超出$day天，請及時續費！"
        for mail in ${maillist[*]};do
            echo -e "${CONTENT}" | mail -s "${SUBJECT}" $mail
        done
    fi
}

#檢測mails指令是否存在，不存在則安裝mail包
is_install_mail()
{
    which mail &> /dev/null
    if [ $? -ne 0 ];then
        yum install -y mail
    fi
}
is_install_mail

#定義需要被檢測的域名清單
domainlist=(
   zisefeizhu.test.cn
)

#檢測域名到期時間并通知
for domain in ${domainlist[*]};do
   echo "目前檢測的域名：" $domain
    #取出域名過期時間
    end_time=$(echo | timeout 1 openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | awk -F '=' '{print $2}' )

    ([ $? -ne 0 ] || [[ $end_time == '' ]]) &&  exit 10
    end_times=`date -d "$end_time" +%s `
    tmp=`date -d today +"%Y-%m-%d %T"`
    current_times=`date -d "$tmp" +"%s"`

    let left_time=$end_times-$current_times
    days=`expr $left_time / 86400`
    echo "剩餘天數: " $days

    #轉換成時間戳
    end_times=`date -d "$end_time" +%s `
    #以時間戳的形式顯示目前時間
    tmp=`date -d today +"%Y-%m-%d %T"`
    current_times=`date -d "$tmp" +"%s"`
    #域名到期剩餘天數
    let left_time=$end_times-$current_times
    days=`expr $left_time / 86400`
    echo "剩餘天數: " $days
    if [ $days -lt 100 ]; then
         echo "https 證書有效期少于100天，存在風險"
         send_mail $domain $days
    fi
done
           

發送郵件設定

擷取網易雲郵箱授權碼

配置發送郵箱人資訊

安裝postfix
# yum -y install postfix
# systemctl enable postfix

設定發送郵箱資訊
# vim /etc/mail.rc
......
新增
set [email protected]
set smtp=smtp.163.com
set [email protected]
set smtp-auth-password=ZXUxxxxExxCSQ
set smtp-auth=login

# systemctl start postfix
# echo "test" |mail -s "tesc message" [email protected]  
could not connect: 連接配接逾時
"/root/dead.letter" 11/308
. . . message not sent.

逾時原因：阿裡雲伺服器關閉了25端口，發送郵件連接配接不上伺服器的緣故，而且官方不允許打開該端口
           

網易163免費郵箱相關伺服器資訊：

是以除了換郵箱之外（端口不是25的，要麼是國外不好申請，要麼收費，摸摸口袋…）

以網易163郵箱為例，使用SSL下的465端口

請求數字證書
# mkdir -p /root/.certs/
# echo -n | openssl s_client -connect smtp.163.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt


修稿郵件發送人設定
# vim /etc/mail.rc
......
改增
set [email protected]
set smtp=smtps://smtp.163.com:465
set [email protected]
set smtp-auth-password=ZXxxxGWRxxxCSQ
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/root/.certs

重新開機測試
# systemctl restart postfix
# echo "test" |mail -s "title" [email protected]
           

登陸郵箱驗證

emmm。收到是收到了，但有個報錯

證書不被信任，且指令行就此卡住，需要按鍵才能出現指令提示符
# Error in certificate: Peer's certificate issuer is not recognized.

處理此問題
# cd /root/.certs/
# ll 
總用量 80
-rw-r--r-- 1 root root  2415 9月   9 13:31 163.crt
-rw------- 1 root root 65536 9月   9 13:35 cert8.db
-rw------- 1 root root 16384 9月   9 13:35 key3.db
-rw------- 1 root root 16384 9月   9 13:31 secmod.db
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
問題解決
           

測試daemon案例

執行腳本

sh check_daemon.sh
目前檢測的域名： zisefeizhu.test.cn
剩餘天數:  73
剩餘天數:  73
https 證書有效期少于100天，存在風險
           

驗證

👌！

定時任務

# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
#Timing execution /root/scripts/check_daemon.sh
0 2  *  *  * root  sh /root/scripts/check_daemon.sh
           

過手如登山，一步一重天