- add configuration options for certwatch (#152990)

- allow passing options in certwatch.cron via $CERTWATCH_OPTS
- require openssl with /etc/pki/tls
This commit is contained in:
jorton 2005-04-26 09:20:45 +00:00
parent fd98acbcc3
commit 582058ab4d
6 changed files with 112 additions and 31 deletions

View File

@ -4,3 +4,9 @@ NAME := crypto-utils
SPECFILE = $(firstword $(wildcard *.spec))
include ../common/Makefile.common
certwatch: certwatch.c
gcc -Wall -Werror -O2 -g $< -o $@ -lcrypto
test-certwatch: certwatch
./certwatch

View File

@ -1,5 +1,5 @@
/*
Copyright 2004 Red Hat, Inc.
Copyright 2005 Red Hat, Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -38,6 +38,10 @@
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
static int warn_period = 30;
static char *warn_address = "root";
/* Turn an ASN.1 UTCTIME object into a time_t, ish. */
static time_t decode_utctime(const ASN1_UTCTIME *utc)
@ -84,7 +88,7 @@ static int warning(FILE *out, const char *filename, const char *hostname,
strcpy(subj, "will expire today");
} else if (days == 1) {
sprintf(subj, "will expire tomorrow");
} else if (days < 30) {
} else if (days < warn_period) {
sprintf(subj, "will expire in %d days", days);
} else {
return 0; /* nothing to warn about. */
@ -92,14 +96,17 @@ static int warning(FILE *out, const char *filename, const char *hostname,
if (quiet) return 1;
fputs("To: root\n", out);
fprintf(out, "To: %s\n", warn_address);
fprintf(out, "Subject: The certificate for %s %s\n", hostname, subj);
fputs("\n", out);
fprintf(out,
" ################# SSL Certificate Warning ################\n\n");
fprintf(out, " Certificate for %s, in '%s':\n\n", hostname, filename);
fprintf(out,
" Certificate for %s, in file:\n"
" %s\n\n",
hostname, filename);
if (renew) {
fputs(" The certificate needs to be renewed; this can be done\n"
@ -180,15 +187,29 @@ static int check_cert(const char *filename, int quiet)
int main(int argc, char **argv)
{
int quiet = 0;
if (argc == 3 && strcmp(argv[1], "-q") == 0) {
quiet = 1;
argc--;
argv++;
}
int optc, quiet = 0;
static const struct option options[] = {
{ "quiet", no_argument, NULL, 'q' },
{ "period", required_argument, NULL, 'p' },
{ "address", required_argument, NULL, 'a' },
{ NULL }
};
if (argc != 2) return 0;
while ((optc = getopt_long(argc, argv, "qhvp:", options, NULL)) != -1) {
switch (optc) {
case 'q':
quiet = 1;
break;
case 'p':
warn_period = atoi(optarg);
break;
case 'a':
warn_address = strdup(optarg);
break;
default:
exit(2);
}
}
return check_cert(argv[1], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE;
return check_cert(argv[optind], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE;
}

View File

@ -2,7 +2,8 @@
#
# Issue warning e-mails if SSL certificates expire, using
# certwatch(8). Set NOCERTWATCH=yes in /etc/sysconfig/httpd
# to disable.
# to disable. Pass additional options to certwatch in the
# CERTWATCH_OPTS variable.
#
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
@ -27,6 +28,6 @@ test $RETVAL -eq 0 || exit 0
for c in $certs; do
# Check whether a warning message is needed, then issue one if so.
/usr/bin/certwatch -q "$c" &&
/usr/bin/certwatch "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
/usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
/usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
done

View File

@ -5,7 +5,7 @@
<refentryinfo>
<productname>crypto-utils</productname>
<date>September 2004</date>
<date>April 2005</date>
</refentryinfo>
<refmeta>
@ -21,7 +21,7 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>certwatch</command>
<arg choice="opt"><option>-q</option></arg>
<arg choice="opt">OPTION...</arg>
<arg choice="plain"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -39,18 +39,52 @@
outside its validity period, or approaching expiry. If the
certificate cannot be found, or any errors occur whilst parsing
the certificate, the certificate is ignored and no output is
produced.</para>
produced. In quiet mode, no output is given, but the exit status
can still be used.</para>
<para>In quiet mode (when the <literal>-q</literal> argument is
given), no output is ever produced.</para>
</refsect1>
<refsect1>
<title>Options</title>
<variablelist>
<varlistentry>
<term><option>--quiet</option> or <option>-q</option></term>
<listitem><simpara>Enable quiet mode; no output is produced
whether the certificate is expired or not</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--period <replaceable>days</replaceable></option>
or <option>-p <replaceable>days</replaceable></option></term>
<listitem><simpara>Specify the number of days within which an
expiry warning will be produced; default is 30. Expiry
warnings are always produced if, on the day of invocation, the
certificate is not yet valid, has already expired, or is due
to expire either that day or the following
day.</simpara></listitem>
</varlistentry>
<varlistentry>
<term><option>--address <replaceable>address</replaceable></option>
or <option>-a <replaceable>address</replaceable></option></term>
<listitem><simpara>Specify the address used in the To field of
the warning e-mail issued if quiet mode is not enabled. The
default is <literal>root</literal>.</simpara></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>Diagnostics</title>
<para>In both modes of operation, the exit code indicates the
state of the certificate:</para>
<para>The exit code indicates the state of the certificate:</para>
<variablelist>
<varlistentry>
@ -78,7 +112,9 @@
imminent expiry of SSL certificates configured for use in the
Apache HTTP server. This warning can be disabled by adding the
line: <literal>NOCERTWATCH=yes</literal> to the file
<filename>/etc/sysconfig/httpd</filename>.</para>
<filename>/etc/sysconfig/httpd</filename>. Options to pass to
certwatch can be specified in that file in the
<literal>CERTWATCH_OPTS</literal> environment variable.</para>
</refsect1>
@ -87,5 +123,11 @@
<para><filename>/etc/cron.daily/certwatch</filename></para>
</refsect1>
<refsect1>
<title>See also</title>
<para>genkey(1)</para>
</refsect1>
</refentry>

View File

@ -4,7 +4,7 @@
Summary: SSL certificate and key management utilities
Name: crypto-utils
Version: 2.2
Release: 1
Release: 2
Source: crypto-rand-%{crver}.tar.gz
Source1: genkey.pl
Source2: certwatch.c
@ -15,7 +15,7 @@ Group: Applications/System
License: Various
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: openssl-devel, perl, pkgconfig, newt-devel, xmlto
Requires: newt-perl, openssl
Requires: newt-perl, openssl >= 0.9.7f-4
Requires: %(eval `perl -V:version`; echo "perl(:MODULE_COMPAT_$version)")
Obsoletes: crypto-rand
@ -30,8 +30,8 @@ SSL certificates and keys.
%configure --with-newt=%{_prefix} CFLAGS="-fPIC $RPM_OPT_FLAGS -Wall"
make
cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl -o certwatch \
$RPM_SOURCE_DIR/certwatch.c -lcrypto
%{_cc} $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl \
$RPM_SOURCE_DIR/certwatch.c -o certwatch -lcrypto
for m in certwatch.xml genkey.xml; do
xmlto man $RPM_SOURCE_DIR/$m
done
@ -101,6 +101,11 @@ sed -e "s|^\$bindir.*$|\$bindir = \"%{_bindir}\";|" \
%{_mandir}/man1/*.1*
%changelog
* Tue Apr 26 2005 Joe Orton <jorton@redhat.com> 2.2-2
- add configuration options for certwatch (#152990)
- allow passing options in certwatch.cron via $CERTWATCH_OPTS
- require openssl with /etc/pki/tls
* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 2.2-1
- adapt to use /etc/pki

View File

@ -5,7 +5,7 @@
<refentryinfo>
<productname>crypto-utils</productname>
<date>February 2005</date>
<date>April 2005</date>
</refentryinfo>
<refmeta>
@ -102,8 +102,14 @@
<refsect1>
<title>Files</title>
<para><filename>/usr/share/ssl/openssl.cnf</filename></para>
<para><filename>/etc/pki/tls/openssl.cnf</filename></para>
</refsect1>
<refsect1>
<title>See also</title>
<para>certwatch(8)</para>
</refsect1>
</refentry>