luke/ssl-update
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add status check

Browse Source
This commit is contained in:
LuKe Tidd 2022-10-14 10:52:09 -04:00
parent a4e16f4cb1
commit b29e0308d4
2 changed files with 77 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
ssl-update.py
View File

@ -76,37 +76,6 @@ def firewall_mod(state, service, decrypt_pp):
log.info(f'Turned {state_print} HTTP for {service}') log.info(f'Turned {state_print} HTTP for {service}')
def get_cert_dates(url, port=443):
cmd = (
f'printf "" | /usr/bin/openssl s_client -servername {url} -connect '
f'{url}:{port} | openssl x509 -noout -dates')
ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
bstdout, bstderr = ps.communicate()
exit_code = ps.returncode
stdout = bstdout.decode('UTF-8').splitlines()
stderr = bstderr.decode('UTF-8')
if exit_code > 0:
sys.exit(f'Error checking state of SSL cert at {url}:{port}: {stderr}')
start_str = ''
finish_str = ''
for line in stdout:
if 'notBefore' in line:
start_str = line.split('=')[1]
if 'notAfter' in line:
finish_str = line.split('=')[1]
ts = datetime.datetime.now()
start = datetime.datetime.strptime(start_str, '%b %d %H:%M:%S %Y %Z')
finish = datetime.datetime.strptime(finish_str, '%b %d %H:%M:%S %Y %Z')
if ts > start and ts < finish:
print('Cert is valid')
else:
print('Cert is not valid')
print(f'start: {start}\nnow: {ts}\nfinish: {finish}')
def recurse_rmdir(directory): def recurse_rmdir(directory):
directory = pathlib.Path(directory) directory = pathlib.Path(directory)
for item in directory.iterdir(): for item in directory.iterdir():
@ -132,7 +101,7 @@ def restart(service):
wait = restart_delay[service] wait = restart_delay[service]
else: else:
wait = 5 wait = 5
try: try:
systemd_service = systemd_services[service] systemd_service = systemd_services[service]
except KeyError: except KeyError:

76
ul-status.py Executable file
View File

@ -0,0 +1,76 @@
#!/usr/bin/env python3
"""Automation for cert renewal.
assumptions:
* firewall has access configured for specified key
* firewall sshd config contains: `AcceptEnv ssl_service state`
* firewall has `ssl-update.sh` copied to /usr/local/bin and chmod +x
"""
import datetime
import logging
import getpass
import os
import pathlib
import pexpect
import pwd
import subprocess
import sys
import time
supported_services = [
'git', 'plex', 'jellyfin', 'photoprism', 'nextcloud', 'read']
def get_cert_dates(url, port=443):
cmd = (
f'printf "" | /usr/bin/openssl s_client -servername {url} -connect '
f'{url}:{port} | openssl x509 -noout -dates')
ps = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
bstdout, bstderr = ps.communicate()
exit_code = ps.returncode
stdout = bstdout.decode('UTF-8').splitlines()
stderr = bstderr.decode('UTF-8')
if exit_code > 0:
sys.exit(f'Error checking state of SSL cert at {url}:{port}: {stderr}')
start_str = ''
finish_str = ''
for line in stdout:
if 'notBefore' in line:
start_str = line.split('=')[1]
if 'notAfter' in line:
finish_str = line.split('=')[1]
ts = datetime.datetime.now()
start = datetime.datetime.strptime(start_str, '%b %d %H:%M:%S %Y %Z')
finish = datetime.datetime.strptime(finish_str, '%b %d %H:%M:%S %Y %Z')
if ts > start and ts < finish:
print('Cert is valid')
else:
print('Cert is not valid')
print(f'start: {start}\nnow: {ts}\nfinish: {finish}')
def main(args):
logging.basicConfig(level=os.environ.get("LOGLEVEL", "INFO"))
log.info(f'program start: {sys.argv}')
if len(args) == 0:
check = supported_services
else:
check = args
for service in check:
if not '.' in service:
url = f'{service}.drheck.dev'
else:
url = service
print(80*'-')
print(url)
get_cert_dates(url)
log = logging.getLogger(__name__)
if __name__ == '__main__':
main(sys.argv[1:])