檢測證書過時腳本

前提

老是後知後覺，老是後知後覺。目前的現狀是不論出現什麼問題，都沒法進行提早預警和在客戶未知前介入處理。早上偶然和研發經理交流時突發靈感，寫下此腳本，試圖以此爲開始進行提早的預警。

從生產k8s集羣拿到realibox.cn的證書，在預發環境作daemon案例。

daemon案例

# pwd
/yufa/zhengshu/test
ll
total 32
-rw-r--r--  1 root  wheel   465B  9  9 09:50 test-ingress.yaml
-rw-r--r--  1 root  wheel   711B  9  9 09:47 test.yaml
-rw-r--r--  1 root  wheel   3.5K  9  9 09:24 tls.crt
-rw-r--r--  1 root  wheel   1.6K  9  9 09:25 tls.key
# kubectl -n realibox create secret tls realibox-cn --key ./tls.key --cert ./tls.crt
# cat test.yaml
apiVersion: v1
kind: Service
metadata:
  name: tomcat
  namespace: realibox
spec:
  selector:
    app: tomcat
    release: canary
  ports:
  - name: http
    port: 8080
    targetPort: 8080
  - name: ajp
    port: 8009
    targetPort: 8009

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tomcat-deploy
  namespace: realibox
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tomcat
      release: canary
  template:
    metadata:
      labels:
        app: tomcat
        release: canary
    spec:
      containers:
      - name: tomcat
        image: tomcat:7-alpine
        ports:
        - name: httpd
          containerPort: 8080
        - name: ajp
          containerPort: 8009

# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ingress-tomcat-tls
  namespace: realibox
  annotations:
    kubernets.io/ingress.class: "kong"
spec:
  tls:
  - hosts:
    - "*.realibox.cn"        #與secret證書的域名須要保持一致
    secretName: realibox-cn   #secret證書的名稱
  rules:
  - host: zisefeizhu.realibox.cn
    http:
      paths:
      - path:
        backend:
          serviceName: tomcat
          servicePort: 8080

編寫檢測域名過時小腳本

話很少說直接懟腳本

# cat check_daemon.sh
#!/bin/bash
source /etc/profile

#定義郵件發送列表
maillist=(
  linkun@realibox.com
  #2350835860@qq.com
)

#發送郵件函數
send_mail(){
    SUBJECT="$1域名即將到期"
    if [ $2 -ge 0 ];then
        CONTENT="$1:此域名即將到期，剩餘時間已不足$2天，請及時續期！"
        for mail in ${maillist[*]};do
            echo -e ""當前檢測的域名:" $domain\n "剩餘天數: " $days\n ${CONTENT} " | mail -s "${SUBJECT}" $mail
        done
    else
        day=$((-$2))
        CONTENT="$1:此域名已到期，已超出$day天，請及時續費！"
        for mail in ${maillist[*]};do
            echo -e "${CONTENT}" | mail -s "${SUBJECT}" $mail
        done
    fi
}

#檢測mails命令是否存在，不存在則安裝mail包
is_install_mail()
{
    which mail &> /dev/null
    if [ $? -ne 0 ];then
        yum install -y mail
    fi
}
is_install_mail

#定義須要被檢測的域名列表
domainlist=(
   zisefeizhu.realibox.cn
)

#檢測域名到期時間並通知
for domain in ${domainlist[*]};do
   echo "當前檢測的域名：" $domain
    #取出域名過時時間
    end_time=$(echo | timeout 1 openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | awk -F '=' '{print $2}' )

    ([ $? -ne 0 ] || [[ $end_time == '' ]]) &&  exit 10
    end_times=`date -d "$end_time" +%s `
    tmp=`date -d today +"%Y-%m-%d %T"`
    current_times=`date -d "$tmp" +"%s"`

    let left_time=$end_times-$current_times
    days=`expr $left_time / 86400`
    echo "剩餘天數: " $days

    #轉換成時間戳
    end_times=`date -d "$end_time" +%s `
    #以時間戳的形式顯示當前時間
    tmp=`date -d today +"%Y-%m-%d %T"`
    current_times=`date -d "$tmp" +"%s"`
    #域名到期剩餘天數
    let left_time=$end_times-$current_times
    days=`expr $left_time / 86400`
    echo "剩餘天數: " $days
    if [ $days -lt 100 ]; then
         echo "https 證書有效期少於100天，存在風險"
         send_mail $domain $days
    fi
done

發送郵件設置

獲取網易雲郵箱受權碼

配置發送郵箱人信息

安裝postfix
# yum -y install postfix
# systemctl enable postfix

設置發送郵箱信息
# vim /etc/mail.rc
......
新增
set from=1xxxxxx91@163.com
set smtp=smtp.163.com
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXUxxxxExxCSQ
set smtp-auth=login

# systemctl start postfix
# echo "test" |mail -s "tesc message" 23xxxxx60@qq.com  
could not connect: 鏈接超時
"/root/dead.letter" 11/308
. . . message not sent.

超時緣由：阿里雲服務器關閉了25端口，發送郵件鏈接不上服務器的緣故，並且官方不容許打開該端口

網易163免費郵箱相關服務器信息：

因此除了換郵箱以外（端口不是25的，要麼是國外很差申請，要麼收費，摸摸口袋…）

以網易163郵箱爲例，使用SSL下的465端口

請求數字證書
mkdir -p /root/.certs/
echo -n | openssl s_client -connect smtp.163.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/163.crt
certutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/163.crt

修稿郵件發送人設置
# vim /etc/mail.rc
......
改增
set from=1xxxxxx91@163.com
set smtp=smtps://smtp.163.com:465
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXxxxGWRxxxCSQ
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/root/.certs

重啓測試
# systemctl restart postfix
# echo "test" |mail -s "title" linkun@realibox.com

登錄郵箱驗證

emmm。收到是收到了，但有個報錯

證書不被信任，且命令行就此卡住，須要按鍵才能出現命令提示符
# Error in certificate: Peer's certificate issuer is not recognized.

處理此問題
# cd /root/.certs/
# ll 
總用量 80
-rw-r--r-- 1 root root  2415 9月   9 13:31 163.crt
-rw------- 1 root root 65536 9月   9 13:35 cert8.db
-rw------- 1 root root 16384 9月   9 13:35 key3.db
-rw------- 1 root root 16384 9月   9 13:31 secmod.db
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
問題解決

測試daemon案例

執行腳本

sh check_daemon.sh
當前檢測的域名： zisefeizhu.rxxxxx.cn
剩餘天數:  73
剩餘天數:  73
https 證書有效期少於100天，存在風險

驗證

👌！

定時任務

# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
#Timing execution /root/scripts/check_daemon.sh
0 2  *  *  * root  sh /root/scripts/check_daemon.sh