From b29e0308d493056b46cf9e162c307291a84253e9 Mon Sep 17 00:00:00 2001 From: Luke Tidd Date: Fri, 14 Oct 2022 10:52:09 -0400 Subject: [PATCH] add status check --- ssl-update.py | 33 +--------------------- ul-status.py | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 32 deletions(-) create mode 100755 ul-status.py diff --git a/ssl-update.py b/ssl-update.py index 293eb6a..71968d4 100755 --- a/ssl-update.py +++ b/ssl-update.py @@ -76,37 +76,6 @@ def firewall_mod(state, service, decrypt_pp): log.info(f'Turned {state_print} HTTP for {service}') -def get_cert_dates(url, port=443): - cmd = ( - f'printf "" | /usr/bin/openssl s_client -servername {url} -connect ' - f'{url}:{port} | openssl x509 -noout -dates') - - ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - bstdout, bstderr = ps.communicate() - exit_code = ps.returncode - stdout = bstdout.decode('UTF-8').splitlines() - stderr = bstderr.decode('UTF-8') - if exit_code > 0: - sys.exit(f'Error checking state of SSL cert at {url}:{port}: {stderr}') - start_str = '' - finish_str = '' - for line in stdout: - if 'notBefore' in line: - start_str = line.split('=')[1] - if 'notAfter' in line: - finish_str = line.split('=')[1] - - ts = datetime.datetime.now() - start = datetime.datetime.strptime(start_str, '%b %d %H:%M:%S %Y %Z') - finish = datetime.datetime.strptime(finish_str, '%b %d %H:%M:%S %Y %Z') - if ts > start and ts < finish: - print('Cert is valid') - else: - print('Cert is not valid') - print(f'start: {start}\nnow: {ts}\nfinish: {finish}') - - def recurse_rmdir(directory): directory = pathlib.Path(directory) for item in directory.iterdir(): @@ -132,7 +101,7 @@ def restart(service): wait = restart_delay[service] else: wait = 5 - + try: systemd_service = systemd_services[service] except KeyError: diff --git a/ul-status.py b/ul-status.py new file mode 100755 index 0000000..5b46fce --- /dev/null +++ b/ul-status.py @@ -0,0 +1,76 @@ +#!/usr/bin/env python3 +"""Automation for cert renewal. + +assumptions: + * firewall has access configured for specified key + * firewall sshd config contains: `AcceptEnv ssl_service state` + * firewall has `ssl-update.sh` copied to /usr/local/bin and chmod +x +""" + +import datetime +import logging +import getpass +import os +import pathlib +import pexpect +import pwd +import subprocess +import sys +import time + +supported_services = [ + 'git', 'plex', 'jellyfin', 'photoprism', 'nextcloud', 'read'] + +def get_cert_dates(url, port=443): + cmd = ( + f'printf "" | /usr/bin/openssl s_client -servername {url} -connect ' + f'{url}:{port} | openssl x509 -noout -dates') + + ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, + stderr=subprocess.PIPE) + bstdout, bstderr = ps.communicate() + exit_code = ps.returncode + stdout = bstdout.decode('UTF-8').splitlines() + stderr = bstderr.decode('UTF-8') + if exit_code > 0: + sys.exit(f'Error checking state of SSL cert at {url}:{port}: {stderr}') + start_str = '' + finish_str = '' + for line in stdout: + if 'notBefore' in line: + start_str = line.split('=')[1] + if 'notAfter' in line: + finish_str = line.split('=')[1] + + ts = datetime.datetime.now() + start = datetime.datetime.strptime(start_str, '%b %d %H:%M:%S %Y %Z') + finish = datetime.datetime.strptime(finish_str, '%b %d %H:%M:%S %Y %Z') + if ts > start and ts < finish: + print('Cert is valid') + else: + print('Cert is not valid') + print(f'start: {start}\nnow: {ts}\nfinish: {finish}') + + +def main(args): + logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO")) + + log.info(f'program start: {sys.argv}') + if len(args) == 0: + check = supported_services + else: + check = args + + for service in check: + if not '.' in service: + url = f'{service}.drheck.dev' + else: + url = service + print(80*'-') + print(url) + get_cert_dates(url) + + +log = logging.getLogger(__name__) +if __name__ == '__main__': + main(sys.argv[1:])