From: Ralf Jung Date: Sun, 13 Dec 2015 13:52:43 +0000 (+0100) Subject: make a certcheck module X-Git-Url: https://git.ralfj.de/lets-encrypt-tiny.git/commitdiff_plain/8bfaf111fde0c3f67a525d0eb727c8e3ddd1c9c3 make a certcheck module --- diff --git a/certcheck b/certcheck index e6986bd..065fe0f 100755 --- a/certcheck +++ b/certcheck @@ -1,39 +1,18 @@ #!/usr/bin/python3 ## Call with "--help" for documentation. -import argparse, subprocess, re, os, datetime +import argparse, certcheck -def check_dir(dirname, days): - for name in os.listdir(dirname): - name = os.path.join(dirname, name) - if os.path.isdir(name): - check_dir(name, days) - elif name.endswith('.crt'): - check_file(name, days) +parser = argparse.ArgumentParser(description='Check for soon-to-expire (and already expired) certificates') +parser.add_argument("-d", "--days", metavar='N', + dest="days", type=int, default=14, + help="Warn about certificates valid for less than N (default 14).") +parser.add_argument("certs", metavar='CERTS', nargs='+', + help="These certificate files are checked. Directories are searched recursively for files called '*.crt'.") +args = parser.parse_args() -def check_file(filename, days): - valid_not_after = subprocess.check_output(["openssl", "x509", "-enddate", "-in", filename, "-out", "/dev/null"]).decode('utf-8') - match = re.match("notAfter=([a-zA-Z0-9: ]+)", valid_not_after) - assert match is not None, "Unexpected output from openssl: valid_not_after" - enddate = match.group(1) - enddate = datetime.datetime.strptime(enddate, '%b %d %X %Y %Z') - delta = enddate - datetime.datetime.now() - if delta < datetime.timedelta(days=days): - print("{} expires at {}, which is in {} days".format(filename, enddate, delta.days)) - -if __name__ == "__main__": - parser = argparse.ArgumentParser(description='Check for soon-to-expire (and already expired) certificates') - parser.add_argument("-d", "--days", metavar='N', - dest="days", type=int, default=14, - help="Warn about certificates valid for less than N (default 14).") - parser.add_argument("certs", metavar='CERTS', nargs='+', - help="These certificate files are checked. Directories are searched recursively for files called '*.crt'.") - args = parser.parse_args() - - for name in args.certs: - if os.path.isdir(name): - check_dir(name, args.days) - else: - check_file(name, args.days) - - +for name in args.certs: + if os.path.isdir(name): + certcheck.check_dir(name, args.days) + else: + certcheck.check_file(name, args.days) diff --git a/certcheck.py b/certcheck.py new file mode 100644 index 0000000..aa64ae6 --- /dev/null +++ b/certcheck.py @@ -0,0 +1,22 @@ +import subprocess, re, os, datetime + +def check_dir(dirname, days): + for name in os.listdir(dirname): + name = os.path.join(dirname, name) + if os.path.isdir(name): + check_dir(name, days) + elif name.endswith('.crt'): + check_file(name, days) + +def cert_expiry_date(filename): + valid_not_after = subprocess.check_output(["openssl", "x509", "-enddate", "-in", filename, "-noout"]).decode('utf-8') + match = re.match("notAfter=([a-zA-Z0-9: ]+)", valid_not_after) + assert match is not None, "Unexpected output from openssl: " + valid_not_after + enddate = match.group(1) + return datetime.datetime.strptime(enddate, '%b %d %X %Y %Z') + +def check_file(filename, days): + enddate = cert_expiry_date(filename) + delta = enddate - datetime.datetime.now() + if delta < datetime.timedelta(days=days): + print("{} expires at {}, which is in {} days".format(filename, enddate, delta.days))