OpenVPN Certificate Status

This script checks the lifetime of the OpenVPN Certifications, for Roadwarrior and Net-to-Net connections.

This script may be used, expanded and supplemented. Thanks again to ummeegge for his work!

OVP-Check Cert Script

The script was exemplarily saved on /mnt/mo_scripts/ directory. The script needs to be made ​​executable.

This script must be stored on the server side.

filename = ovpcertstat.sh

#!/bin/bash -

# ovpn_cert_expiration_check.sh
#
# $author: ummeegge ipfire org ; $date: 20.10.2017 - 15:24:08
#########################################################################
# This script checks OpenVPNs index.txt for how much time is left
# until a client certificate will be expired.
# Certificats with OpenSSL maximum (999999) are excluded.
# Time should be configured by the individual needs,
# but is currently configured to 5 days.
#
# Days before can be defined in the "ALERT=5" variable.
# An own Email account should be present for this since the Email account
#     password are stored in cleartext in the script.
# Script provides Email encryption via GPG but is currently commented in the main part.
#     An howto setup can be found in here --> http://wiki.ipfire.org/en/optimization/scripts/gpg/start .
# Email function is currently commented cause it needs to be setup first.
# Own Email credentials needs to be set in the script (sections are marked).
# Script can be placed e.g. into /etc/fcron.daily .
#     All paths has been set absolute so the fcron environment should find all binaries.
#

## Paths, directories and files
INDEX="/var/ipfire/ovpn/certs/index.txt";
WORKDIR="/tmp/ovpn_cert_alert";
CERTLIST="${WORKDIR}/certlist";
COUNTERLIST="${WORKDIR}/counterlist";
MERGED="${WORKDIR}/merged";
MAIL="${WORKDIR}/mailalert";
MAILCRYPTED="${WORKDIR}/mailalert.asc";
# Needed binary locations
SENDMAIL="/usr/local/bin/sendEmail";
GPG="/usr/bin/gpg";

# Email text
DATELIST="List of OpenVPN certificate expiration dates from $(hostname) - $(date)";
DATELISTA="Already revoked certificates and such with OpenSSL maximum are not listed in here.";
DATELISTB="You will deliver mails also for '0 days left' certificates. If they are presant you should clean them up.";

## Check for needed dependencies
# sendEmail check
if [ ! -e "${SENDMAIL}" ]; then
   /bin/echo -e "Can´t find needed sendEmail binary. Please install it via Pakfire first.";
   exit 1;
fi
# index.txt check
if [ -s "${FILE}" ]; then
   /bin/echo -e "The certificate index is empty or not presant, please add first clients.";
   exit 1;
fi
# Check for workdir otherwise create it
if [ -e "${WORKDIR}" ]; then
    /bin/rm -rf ${WORKDIR};
    /bin/mkdir ${WORKDIR};
else
    /bin/mkdir ${WORKDIR}
fi


############################### ADD HERE YOUR INDIVIDUAL DATA ##########################################################
# ----- How much days should be left until an alert should be fired -----
#
ALERT="5";
#
# ----- Please configure here your specific Email data ------
#
MAILPASS="YourEmailPassword";
MAILADDRESS="example@web.de";
MAILNAME="example";
SMTPADDRESS="smtp.web.de:587";
MESSAGE="From $(date)";
SUBJECT="From $(date) OVPN expiring date has been reached";
PUBKEYID="2F033721";
#
########################################################################################################################

#################################################### Main part #########################################################
## Searcher
certs_date=$(/usr/bin/awk '/^V/ {print $2}' ${INDEX} | cut -c1-6 | grep -E '^1|^2');

## Time values
NOW=$(date +%s);
# 24 hours in seconds
DAY="86400";

## Mail preparation
# Copy CNs from index.txt to counter list.
# Without already revoked certificates but also no host certificate
grep '^V' ${INDEX} | sed 1d | grep -o 'CN=.*' > ${CERTLIST};

## Calculation
for i in ${certs_date}; do
    # Convert index.txt time to UNIX time
    UNTIL=$(date -d "${i}" +%s);
    # Calculate differences
    DIFF=$(( ${UNTIL} - ${NOW} ));
    # Convert UNIX time to days
    REST=$(( ${DIFF} / ${DAY} ));
    # Text with integrated result
    echo "${REST} days are left for user with the common name - ";
done >> ${COUNTERLIST};

# Merge lists withanother
/usr/bin/paste {$COUNTERLIST,$CERTLIST} > ${MERGED};

# Check for alert and prepare mail
/usr/bin/awk -v var="$ALERT" '$1<=var' ${MERGED} | sed 's/^-//g' > ${MAIL};

# Check if alert should be fired
if [ $(/bin/ls -l ${MAIL} | /usr/bin/awk '{print $5}') -ne 0 ]; then
    sed -i -e "1s/^/$(printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -;)\n\n/" \
    -e "1s/^/${DATELIST}\n/" \
    -e "1s/^/$(printf '%*s\n' "${COLUMNS:-$(tput cols)}" '' | tr ' ' -;)\n/" ${MAIL};
    # Next line can be deleted if Email as been set up. Line is only for testing pruposes
    /bin/echo "Will fire an alert... ";
    /bin/echo -e "\n\n${DATELISTA}\n" >> ${MAIL};
    /bin/echo -e "${DATELISTB}\n" >> ${MAIL};
    # Send alert via sendEmail encrypted with GPG
    # To activate it after installation, uncomment the following lines
    #${GPG} --encrypt -a --recipient "${PUBKEYID}" "${MAIL}";
    #${SENDMAIL} -f "${MAILADDRESS}" -t "${MAILADDRESS}" \
    #-s "${SMTPADDRESS}" \
    #-u "${SUBJECT}" \
    #-m "${MESSAGE}" \
    #-xu "${MAILNAME}" \
    #-xp "${MAILPASS}" \
    #-a "${MAILCRYPTED}";
    logger -t OpenVPN-cert-check "Warning: One or more OpenVPN certificates has been expired. Email alert has been send... ";
fi

# Clean up workdir
/bin/rm -rf ${WORKDIR};

# EOF

After depositing or creation the script must be still made executable:

chmod +x ovpcertstat.sh

Timing

For a regular check by the above script can be called by a Cronjob for the my-sendemail.sh Script.

fcrontab -e

Specify the desired frequency, here every 8 hours, for the cronjob.

# ovp cert status
0 */8 * * *     /mnt/harddisk/scripts/ovpcertstat.sh

Hint

  • The Sendmail-Function is off in this Script. Edit this lines to send the Status announcement to your E-Mail Address with or no GPG Key! Look like this: my-sendemail.sh
  • Current home of this script can be found in here https://gitlab.com/ummeegge/scripts/-/blob/master/ovpn_cert_expiration_check.sh .
Edit Page ‐ Yes, you can edit!

Older Revisions • June 19 at 3:41 pm • Erik Kapfer