- add configuration options for certwatch (#152990)
- allow passing options in certwatch.cron via $CERTWATCH_OPTS - require openssl with /etc/pki/tls
This commit is contained in:
parent
fd98acbcc3
commit
582058ab4d
6
Makefile
6
Makefile
@ -4,3 +4,9 @@ NAME := crypto-utils
|
||||
SPECFILE = $(firstword $(wildcard *.spec))
|
||||
|
||||
include ../common/Makefile.common
|
||||
|
||||
certwatch: certwatch.c
|
||||
gcc -Wall -Werror -O2 -g $< -o $@ -lcrypto
|
||||
|
||||
test-certwatch: certwatch
|
||||
./certwatch
|
||||
|
47
certwatch.c
47
certwatch.c
@ -1,5 +1,5 @@
|
||||
/*
|
||||
Copyright 2004 Red Hat, Inc.
|
||||
Copyright 2005 Red Hat, Inc.
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
@ -38,6 +38,10 @@
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <getopt.h>
|
||||
|
||||
static int warn_period = 30;
|
||||
static char *warn_address = "root";
|
||||
|
||||
/* Turn an ASN.1 UTCTIME object into a time_t, ish. */
|
||||
static time_t decode_utctime(const ASN1_UTCTIME *utc)
|
||||
@ -84,7 +88,7 @@ static int warning(FILE *out, const char *filename, const char *hostname,
|
||||
strcpy(subj, "will expire today");
|
||||
} else if (days == 1) {
|
||||
sprintf(subj, "will expire tomorrow");
|
||||
} else if (days < 30) {
|
||||
} else if (days < warn_period) {
|
||||
sprintf(subj, "will expire in %d days", days);
|
||||
} else {
|
||||
return 0; /* nothing to warn about. */
|
||||
@ -92,14 +96,17 @@ static int warning(FILE *out, const char *filename, const char *hostname,
|
||||
|
||||
if (quiet) return 1;
|
||||
|
||||
fputs("To: root\n", out);
|
||||
fprintf(out, "To: %s\n", warn_address);
|
||||
fprintf(out, "Subject: The certificate for %s %s\n", hostname, subj);
|
||||
fputs("\n", out);
|
||||
|
||||
fprintf(out,
|
||||
" ################# SSL Certificate Warning ################\n\n");
|
||||
|
||||
fprintf(out, " Certificate for %s, in '%s':\n\n", hostname, filename);
|
||||
fprintf(out,
|
||||
" Certificate for %s, in file:\n"
|
||||
" %s\n\n",
|
||||
hostname, filename);
|
||||
|
||||
if (renew) {
|
||||
fputs(" The certificate needs to be renewed; this can be done\n"
|
||||
@ -180,15 +187,29 @@ static int check_cert(const char *filename, int quiet)
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int quiet = 0;
|
||||
|
||||
if (argc == 3 && strcmp(argv[1], "-q") == 0) {
|
||||
quiet = 1;
|
||||
argc--;
|
||||
argv++;
|
||||
}
|
||||
int optc, quiet = 0;
|
||||
static const struct option options[] = {
|
||||
{ "quiet", no_argument, NULL, 'q' },
|
||||
{ "period", required_argument, NULL, 'p' },
|
||||
{ "address", required_argument, NULL, 'a' },
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
if (argc != 2) return 0;
|
||||
while ((optc = getopt_long(argc, argv, "qhvp:", options, NULL)) != -1) {
|
||||
switch (optc) {
|
||||
case 'q':
|
||||
quiet = 1;
|
||||
break;
|
||||
case 'p':
|
||||
warn_period = atoi(optarg);
|
||||
break;
|
||||
case 'a':
|
||||
warn_address = strdup(optarg);
|
||||
break;
|
||||
default:
|
||||
exit(2);
|
||||
}
|
||||
}
|
||||
|
||||
return check_cert(argv[1], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
return check_cert(argv[optind], quiet) == 1 ? EXIT_SUCCESS : EXIT_FAILURE;
|
||||
}
|
||||
|
@ -2,7 +2,8 @@
|
||||
#
|
||||
# Issue warning e-mails if SSL certificates expire, using
|
||||
# certwatch(8). Set NOCERTWATCH=yes in /etc/sysconfig/httpd
|
||||
# to disable.
|
||||
# to disable. Pass additional options to certwatch in the
|
||||
# CERTWATCH_OPTS variable.
|
||||
#
|
||||
|
||||
[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd
|
||||
@ -27,6 +28,6 @@ test $RETVAL -eq 0 || exit 0
|
||||
|
||||
for c in $certs; do
|
||||
# Check whether a warning message is needed, then issue one if so.
|
||||
/usr/bin/certwatch -q "$c" &&
|
||||
/usr/bin/certwatch "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
|
||||
/usr/bin/certwatch $CERTWATCH_OPTS -q "$c" &&
|
||||
/usr/bin/certwatch $CERTWATCH_OPTS "$c" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
|
||||
done
|
||||
|
@ -5,7 +5,7 @@
|
||||
|
||||
<refentryinfo>
|
||||
<productname>crypto-utils</productname>
|
||||
<date>September 2004</date>
|
||||
<date>April 2005</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
@ -21,7 +21,7 @@
|
||||
<refsynopsisdiv>
|
||||
<cmdsynopsis>
|
||||
<command>certwatch</command>
|
||||
<arg choice="opt"><option>-q</option></arg>
|
||||
<arg choice="opt">OPTION...</arg>
|
||||
<arg choice="plain"><replaceable>filename</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
</refsynopsisdiv>
|
||||
@ -39,18 +39,52 @@
|
||||
outside its validity period, or approaching expiry. If the
|
||||
certificate cannot be found, or any errors occur whilst parsing
|
||||
the certificate, the certificate is ignored and no output is
|
||||
produced.</para>
|
||||
produced. In quiet mode, no output is given, but the exit status
|
||||
can still be used.</para>
|
||||
|
||||
<para>In quiet mode (when the <literal>-q</literal> argument is
|
||||
given), no output is ever produced.</para>
|
||||
|
||||
</refsect1>
|
||||
|
||||
|
||||
<refsect1>
|
||||
<title>Options</title>
|
||||
|
||||
<variablelist>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--quiet</option> or <option>-q</option></term>
|
||||
|
||||
<listitem><simpara>Enable quiet mode; no output is produced
|
||||
whether the certificate is expired or not</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--period <replaceable>days</replaceable></option>
|
||||
or <option>-p <replaceable>days</replaceable></option></term>
|
||||
|
||||
<listitem><simpara>Specify the number of days within which an
|
||||
expiry warning will be produced; default is 30. Expiry
|
||||
warnings are always produced if, on the day of invocation, the
|
||||
certificate is not yet valid, has already expired, or is due
|
||||
to expire either that day or the following
|
||||
day.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>--address <replaceable>address</replaceable></option>
|
||||
or <option>-a <replaceable>address</replaceable></option></term>
|
||||
|
||||
<listitem><simpara>Specify the address used in the To field of
|
||||
the warning e-mail issued if quiet mode is not enabled. The
|
||||
default is <literal>root</literal>.</simpara></listitem>
|
||||
</varlistentry>
|
||||
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Diagnostics</title>
|
||||
|
||||
<para>In both modes of operation, the exit code indicates the
|
||||
state of the certificate:</para>
|
||||
<para>The exit code indicates the state of the certificate:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -78,7 +112,9 @@
|
||||
imminent expiry of SSL certificates configured for use in the
|
||||
Apache HTTP server. This warning can be disabled by adding the
|
||||
line: <literal>NOCERTWATCH=yes</literal> to the file
|
||||
<filename>/etc/sysconfig/httpd</filename>.</para>
|
||||
<filename>/etc/sysconfig/httpd</filename>. Options to pass to
|
||||
certwatch can be specified in that file in the
|
||||
<literal>CERTWATCH_OPTS</literal> environment variable.</para>
|
||||
|
||||
</refsect1>
|
||||
|
||||
@ -87,5 +123,11 @@
|
||||
|
||||
<para><filename>/etc/cron.daily/certwatch</filename></para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
|
||||
<para>genkey(1)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
||||
|
@ -4,7 +4,7 @@
|
||||
Summary: SSL certificate and key management utilities
|
||||
Name: crypto-utils
|
||||
Version: 2.2
|
||||
Release: 1
|
||||
Release: 2
|
||||
Source: crypto-rand-%{crver}.tar.gz
|
||||
Source1: genkey.pl
|
||||
Source2: certwatch.c
|
||||
@ -15,7 +15,7 @@ Group: Applications/System
|
||||
License: Various
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-root
|
||||
BuildRequires: openssl-devel, perl, pkgconfig, newt-devel, xmlto
|
||||
Requires: newt-perl, openssl
|
||||
Requires: newt-perl, openssl >= 0.9.7f-4
|
||||
Requires: %(eval `perl -V:version`; echo "perl(:MODULE_COMPAT_$version)")
|
||||
Obsoletes: crypto-rand
|
||||
|
||||
@ -30,8 +30,8 @@ SSL certificates and keys.
|
||||
%configure --with-newt=%{_prefix} CFLAGS="-fPIC $RPM_OPT_FLAGS -Wall"
|
||||
make
|
||||
|
||||
cc $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl -o certwatch \
|
||||
$RPM_SOURCE_DIR/certwatch.c -lcrypto
|
||||
%{_cc} $RPM_OPT_FLAGS -Wall -Werror -I/usr/include/openssl \
|
||||
$RPM_SOURCE_DIR/certwatch.c -o certwatch -lcrypto
|
||||
for m in certwatch.xml genkey.xml; do
|
||||
xmlto man $RPM_SOURCE_DIR/$m
|
||||
done
|
||||
@ -101,6 +101,11 @@ sed -e "s|^\$bindir.*$|\$bindir = \"%{_bindir}\";|" \
|
||||
%{_mandir}/man1/*.1*
|
||||
|
||||
%changelog
|
||||
* Tue Apr 26 2005 Joe Orton <jorton@redhat.com> 2.2-2
|
||||
- add configuration options for certwatch (#152990)
|
||||
- allow passing options in certwatch.cron via $CERTWATCH_OPTS
|
||||
- require openssl with /etc/pki/tls
|
||||
|
||||
* Mon Apr 25 2005 Joe Orton <jorton@redhat.com> 2.2-1
|
||||
- adapt to use /etc/pki
|
||||
|
||||
|
10
genkey.xml
10
genkey.xml
@ -5,7 +5,7 @@
|
||||
|
||||
<refentryinfo>
|
||||
<productname>crypto-utils</productname>
|
||||
<date>February 2005</date>
|
||||
<date>April 2005</date>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
@ -102,8 +102,14 @@
|
||||
<refsect1>
|
||||
<title>Files</title>
|
||||
|
||||
<para><filename>/usr/share/ssl/openssl.cnf</filename></para>
|
||||
<para><filename>/etc/pki/tls/openssl.cnf</filename></para>
|
||||
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>See also</title>
|
||||
|
||||
<para>certwatch(8)</para>
|
||||
</refsect1>
|
||||
|
||||
</refentry>
|
||||
|
Loading…
Reference in New Issue
Block a user