OpenVPN Certificate Status

This script checks the lifetime of the OpenVPN Certifications, only Roadwarrior.

This script may be used, expanded and supplemented. Thanks again to ummeegge for his work!

OVP-Check Cert Script

The script was exemplarily saved on /mnt/mo_scripts/ directory. The script needs to be made ‚Äč‚Äčexecutable.

This script must be stored on the server side.

filename = ovpcertstat.sh

#!/bin/bash -

# cert_check.sh
#
# ummeegge 01.09.2014
##################################################################
# This script checks OpenVPNs index.txt for how much time is left
# until a client certificate will be expired.
# Also the host and N2N certificates are excluded.
# Time should be configured by the individual needs,
# but is currently configured to 5 days.
# In here --> https://forum.ipfire.org/viewtopic.php?f=17&t=11513 ,
# a topic can be found for corrections or enhancements.
#

set -x

## How much days should be left until an alert should be fired
# ----- PLEASE EDIT HERE YOUR DESIRED DAYS -----
ALERT="5";

## Paths
FILE="/var/ipfire/ovpn/certs/index.txt";
MAIL="/tmp/list";

## Searcher
certs_date=$(awk '/^V/ {print $2}' ${FILE} | cut -c1-6 | grep '^1');

## Time values
NOW=$(date +%s);
# 24 hours in seconds
DAY="86400";

## Mail preparation
# Copy reduced index.txt list to /tmp.
# Without already revoked and host certificate
echo -e "\033[1;36m List of OpenVPN certificate expiration dates from $(date) \033[0m" > ${MAIL};
echo >> ${MAIL};
echo "These days are from the following copy of index.txt in listing order calculated." >> ${MAIL};
echo >> ${MAIL};
awk '/^V/ {print $2"\t", $3"\t", $5"\t"}' ${FILE} | sed '/^4.*Z/d' >> ${MAIL};

# Clarification of the content
echo >> ${MAIL};
echo -e "\033[1;36m Time until expiration in days: \033[0m" >> ${MAIL};
echo  >> ${MAIL}

## Calculation
for i in ${certs_date}
do
  # Convert index.txt time to UNIX time
  UNTIL=$(date -d "${i}" +%s)
  # Calculate differences
  DIFF=$(expr ${UNTIL} - ${NOW})
  # Convert UNIX time to days
  REST=$(expr ${DIFF} / ${DAY})
  # Text with integrated result
  echo "---------------------------------------------------------------------"
  echo "| There are still ${REST} days left until the certificate has expired"
done >> ${MAIL}

# Clarification of the content
echo >> ${MAIL};
echo -e "\033[1;36m Already revoked hosts and N2N certificate are not listed in here.\033[0m" >> ${MAIL};
echo >> ${MAIL};

# Checks calculated time in list
MAILALERT=$(awk '/^\| / {print $5}' ${MAIL});

# Check if Mail should be fired
for m in ${MAILALERT}
do
if (( "${ALERT}" >= "${m}" )); then
#    /usr/bin/gpg --encrypt -a --recipient ED9991FC ${MAIL};
#    /usr/local/bin/sendEmail -f username@web.de -t username@web.de \
#    -o tls=yes -s smtp.web.de:587 \
#    -xu username -xp "Mein_kryptisches_passwort" \
#    -vvv \
#    -m "This list contains certificates which will be expires in ${ALERT} days." \
#    -u "Test" \
#    -a "${MAIL}.asc";
  echo "I'll send you an e-mail";
else
  echo "I'll send you nothing ...";
fi
done

# Clean up /tmp
#rm -rf /tmp/list*;

# End of cert check

After depositing or creation the script must be still made executable:

chmod +x ovpcertstat.sh

Timing

For a regular check by the above script can be called by a Cronjob for the my-sendemail.sh Script.

fcrontab -e

Specify the desired frequency, here every 8 hours, for the cronjob.

# ovp cert status
0 */8 * * *     /mnt/harddisk/scripts/ovpcertstat.sh

Hint

The Sendmail-Function is off in this Script. Edit this lines to send the Status announcement to your E-Mail Address with or no GPG Key! Look like this: my-sendemail.sh

Edit Page ‐ Yes, you can edit!

Older Revisions • August 26 at 10:08 pm • Jon