- add configuration options for certwatch (#152990)

- allow passing options in certwatch.cron via $CERTWATCH_OPTS
- require openssl with /etc/pki/tls

Makefile

@@ -4,3 +4,9 @@ NAME := crypto-utils
 SPECFILE = $(firstword $(wildcard *.spec))
 
 include ../common/Makefile.common
+
+certwatch: certwatch.c
+	gcc -Wall -Werror -O2 -g $< -o $@ -lcrypto
+
+test-certwatch: certwatch
+	./certwatch

certwatch.c

@@ -1,5 +1,5 @@
 /*
-   Copyright 2004 Red Hat, Inc.
+   Copyright 2005 Red Hat, Inc.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -38,6 +38,10 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <getopt.h>
+
+static int warn_period = 30;
+static char *warn_address = "root";
 
 /* Turn an ASN.1 UTCTIME object into a time_t, ish. */
 static time_t decode_utctime(const ASN1_UTCTIME *utc)
@@ -84,7 +88,7 @@ static int warning(FILE *out, const char *filename, const char *hostname,
         strcpy(subj, "will expire today");
     } else if (days == 1) {
         sprintf(subj, "will expire tomorrow");
-    } else if (days < 30) {
+    } else if (days < warn_period) {
         sprintf(subj, "will expire in %d days", days);
     } else {
         return 0; /* nothing to warn about. */
@@ -92,14 +96,17 @@ static int warning(FILE *out, const char *filename, const char *hostname,
 
     if (quiet) return 1;
 
-    fputs("To: root\n", out);
+    fprintf(out, "To: %s\n", warn_address);
     fprintf(out, "Subject: The certificate for %s %s\n", hostname, subj);
     fputs("\n", out);
     
     fprintf(out, 
             " ################# SSL Certificate Warning ################\n\n");
 
-    fprintf(out, " Certificate for %s, in '%s':\n\n", hostname, filename);
+    fprintf(out, 
+            "  Certificate for %s, in file:\n"
+            "     %s\n\n",
+            hostname, filename);
 
     if (renew) {
         fputs("  The certificate needs to be renewed; this can be done\n"
@@ -180,15 +187,29 @@ static int check_cert(const char *filename, int quiet)
 
 int main(int argc, char **argv)
 {
-    int quiet = 0;
-
-    if (argc == 3 && strcmp(argv[1], "-q") == 0) {
-        quiet = 1;
-        argc--;
-        argv++;
-    }
+    int optc, quiet = 0;
+    static const struct option options[] = {
+        { "quiet", no_argument, NULL, 'q' },
+        { "period", required_argument, NULL, 'p' },
+        { "address", required_argument, NULL, 'a' },
+        { NULL }
+    };
     
-    if (argc != 2) return 0;
+    while ((optc = getopt_long(argc, argv, "qhvp:", options, NULL)) != -1) {
+        switch (optc) {
+        case 'q':
+            quiet = 1;
+            break;
+        case 'p':
+            warn_period = atoi(optarg);
+            break;
+        case 'a':
+            warn_address = strdup(optarg);
+            break;
+        default:
+            exit(2);
+        }
+    }
 
-    return check_cert(argv[1], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE;
+    return check_cert(argv[optind], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE;
 }

certwatch.cron

@@ -2,7 +2,8 @@
 #
 # Issue warning e-mails if SSL certificates expire, using
 # certwatch(8).  Set NOCERTWATCH=yes in /etc/sysconfig/httpd
-# to disable.
+# to disable.  Pass additional options to certwatch in the
+# CERTWATCH_OPTS variable.
 # 
 
 [ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
@@ -27,6 +28,6 @@ test $RETVAL -eq 0 || exit 0
 
 for c in $certs; do
   # Check whether a warning message is needed, then issue one if so.
-  /usr/bin/certwatch -q "$c" && 
-    /usr/bin/certwatch "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
+  /usr/bin/certwatch $CERTWATCH_OPTS -q "$c" && 
+    /usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
 done

certwatch.xml

@@ -5,7 +5,7 @@
 
   <refentryinfo>
     <productname>crypto-utils</productname>
-    <date>September 2004</date>
+    <date>April 2005</date>
   </refentryinfo>
 
   <refmeta>
@@ -21,7 +21,7 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>certwatch</command>
-      <arg choice="opt"><option>-q</option></arg>
+      <arg choice="opt">OPTION...</arg>
       <arg choice="plain"><replaceable>filename</replaceable></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -39,18 +39,52 @@
     outside its validity period, or approaching expiry.  If the
     certificate cannot be found, or any errors occur whilst parsing
     the certificate, the certificate is ignored and no output is
-    produced.</para>
+    produced.  In quiet mode, no output is given, but the exit status
+    can still be used.</para>
 
-    <para>In quiet mode (when the <literal>-q</literal> argument is
-    given), no output is ever produced.</para>
-    
+  </refsect1>
+
+
+  <refsect1>
+    <title>Options</title>
+
+    <variablelist>
+
+      <varlistentry>
+        <term><option>--quiet</option> or <option>-q</option></term>
+
+        <listitem><simpara>Enable quiet mode; no output is produced
+        whether the certificate is expired or not</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--period <replaceable>days</replaceable></option>
+        or <option>-p <replaceable>days</replaceable></option></term>
+
+        <listitem><simpara>Specify the number of days within which an
+        expiry warning will be produced; default is 30.  Expiry
+        warnings are always produced if, on the day of invocation, the
+        certificate is not yet valid, has already expired, or is due
+        to expire either that day or the following
+        day.</simpara></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>--address <replaceable>address</replaceable></option>
+        or <option>-a <replaceable>address</replaceable></option></term>
+
+        <listitem><simpara>Specify the address used in the To field of
+        the warning e-mail issued if quiet mode is not enabled.  The
+        default is <literal>root</literal>.</simpara></listitem>
+      </varlistentry>
+
+    </variablelist>
   </refsect1>
 
   <refsect1>
     <title>Diagnostics</title>
     
-    <para>In both modes of operation, the exit code indicates the
-    state of the certificate:</para>
+    <para>The exit code indicates the state of the certificate:</para>
     
     <variablelist>
       <varlistentry>
@@ -78,7 +112,9 @@
     imminent expiry of SSL certificates configured for use in the
     Apache HTTP server.  This warning can be disabled by adding the
     line: <literal>NOCERTWATCH=yes</literal> to the file
-    <filename>/etc/sysconfig/httpd</filename>.</para>
+    <filename>/etc/sysconfig/httpd</filename>.  Options to pass to
+    certwatch can be specified in that file in the
+    <literal>CERTWATCH_OPTS</literal> environment variable.</para>
 
   </refsect1>
 
@@ -87,5 +123,11 @@
 
     <para><filename>/etc/cron.daily/certwatch</filename></para>
   </refsect1>
+  
+  <refsect1>
+    <title>See also</title>
+
+    <para>genkey(1)</para>
+  </refsect1>
 
 </refentry>

crypto-utils.spec

@@ -4,7 +4,7 @@
 Summary: SSL certificate and key management utilities
 Name: crypto-utils
 Version: 2.2
-Release: 1
+Release: 2
 Source: crypto-rand-%{crver}.tar.gz
 Source1: genkey.pl
 Source2: certwatch.c
@@ -15,7 +15,7 @@ Group: Applications/System
 License: Various
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 BuildRequires: openssl-devel, perl, pkgconfig, newt-devel, xmlto
-Requires: newt-perl, openssl
+Requires: newt-perl, openssl >= 0.9.7f-4
 Requires: %(eval `perl -V:version`; echo "perl(:MODULE_COMPAT_$version)")
 Obsoletes: crypto-rand
 
@@ -30,8 +30,8 @@ SSL certificates and keys.
 %configure --with-newt=%{_prefix} CFLAGS="-fPIC $RPM_OPT_FLAGS -Wall"
 make
 
-cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl -o certwatch \
-   $RPM_SOURCE_DIR/certwatch.c -lcrypto
+%{_cc} $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl \
+       $RPM_SOURCE_DIR/certwatch.c -o certwatch -lcrypto
 for m in certwatch.xml genkey.xml; do
   xmlto man $RPM_SOURCE_DIR/$m
 done
@@ -101,6 +101,11 @@ sed -e "s|^\$bindir.*$|\$bindir = \"%{_bindir}\";|" \
 %{_mandir}/man1/*.1*
 
 %changelog
+* Tue Apr 26 2005 Joe Orton <jorton@redhat.com> 2.2-2
+- add configuration options for certwatch (#152990)
+- allow passing options in certwatch.cron via $CERTWATCH_OPTS
+- require openssl with /etc/pki/tls
+
 * Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 2.2-1
 - adapt to use /etc/pki
 

genkey.xml

@@ -5,7 +5,7 @@
 
   <refentryinfo>
     <productname>crypto-utils</productname>
-    <date>February 2005</date>
+    <date>April 2005</date>
   </refentryinfo>
 
   <refmeta>
@@ -102,8 +102,14 @@
   <refsect1>
     <title>Files</title>
 
-    <para><filename>/usr/share/ssl/openssl.cnf</filename></para>
+    <para><filename>/etc/pki/tls/openssl.cnf</filename></para>
 
   </refsect1>
 
+  <refsect1>
+    <title>See also</title>
+
+    <para>certwatch(8)</para>
+  </refsect1>
+
 </refentry>