New role for Debian-specific configuration.

[distorted-ansible] / roles / debian / files / pki / check-x509-certs

diff --git a/roles/debian/files/pki/check-x509-certs b/roles/debian/files/pki/check-x509-certs
new file mode 100755 (executable)
index 0000000..b395019
--- /dev/null
+++ b/roles/debian/files/pki/check-x509-certs
@@ -0,0 +1,35 @@
+#! /bin/sh -e
+
+conf=/etc/ca/check-x509-certs.conf
+time=$(( 7 * 86400 ))
+usage="usage: $0 [-c CONF] [-d DAYS] [-s SECS]"
+
+while getopts c:d:s: opt; do
+  case "$opt" in
+    c) conf=$OPTARG ;;
+    d) time=$(( $OPTARG * 86400 )) ;;
+    s) time=$OPTARG ;;
+    *) echo >&2 "$usage"; exit 1 ;;
+  esac
+done
+shift $(( $OPTIND - 1 ))
+case $# in 0) ;; *) echo >&2 "$usage"; exit 1 ;; esac
+
+if [ ! -f $conf ]; then exit 0; fi
+
+any=nil
+while read line; do
+  case "$line" in "" | "#"*) continue ;; esac
+  file=$line
+  if openssl x509 -in "$file" -noout -checkend $time; then
+    continue
+  fi
+  if openssl x509 -in "$file" -noout -checkend 0; then
+    state="expires soon"
+  else
+    state="ALREADY EXPIRED!"
+  fi
+  case $any in nil) any=t ;; t) echo ;; esac
+  echo "$file: $state"
+  openssl x509 -in "$file" -noout -issuer -dates
+done <"$conf"