add ovpn-cert-expiration.sh

README.md

@@ -7,6 +7,7 @@ Small tools needed to solve immediate tasks independently or as part of a projec
 * [`confutil`.py](https://git.hmp.today/pavel.muhortov/utils#confutil-py)
 * [`sendmail`.py](https://git.hmp.today/pavel.muhortov/utils#sendmail-py)
 * [`simplewc`.py](https://git.hmp.today/pavel.muhortov/utils#simplewc-py)
+* [`ovpn-cert-expiration`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-cert-expiration-sh)
 * [`ovpn-client-management`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-client-management-sh)
 * [`ovpn-connect-handling`.sh](https://git.hmp.today/pavel.muhortov/utils#ovpn-connect-handling-sh)
 * [`wg-client-management`.sh](https://git.hmp.today/pavel.muhortov/utils#wg-client-management-sh)
@@ -223,6 +224,41 @@ chmod u+x ./simplewc.py
 
 ____
 
+## `ovpn-cert-expiration`.sh
+
+**Description:**  
+> Checking openvpn server certificates expiration and preparing stats for monitoring.  
+
+**Dependencies:**  
+>
+> * privileged rights
+> * [openssl](https://www.openssl.org/) (tested version 1.1.1k on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
+
+|  POSITION | PARAMETERS   |       DESCRIPTION      |    DEFAULT    |
+|-----------|--------------|------------------------|---------------|
+|     1     |**[qn]**|execution without pauses||
+|     2     |**[/path/to/conf]**|openvpn server config file path|/etc/openvpn/server/server.conf|
+
+Example usage:  
+
+```bash
+# download
+sudo wget https://git.hmp.today/pavel.muhortov/utils/raw/branch/master/ovpn-cert-expiration.sh -O /etc/openvpn/server/ovpn-cert-expiration.sh
+sudo chmod +x /etc/openvpn/server/ovpn-cert-expiration.sh
+```
+
+```bash
+# sudo crontab -e
+0 * * * * bash /etc/openvpn/server/ovpn-cert-expiration.sh qn
+```
+
+```bash
+# check stats
+watch cat /var/log/openvpn/ovpn-cert-expiration.log
+```
+
+____
+
 ## `ovpn-client-management`.sh
 
 **Description:**  
@@ -230,6 +266,7 @@ ____
 
 **Dependencies:**  
 >
+> * privileged rights
 > * chpasswd
 > * [openvpn](https://openvpn.net/) (tested version 2.5.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * [easy-rsa](https://github.com/OpenVPN/easy-rsa) (tested version 3.0.8 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
@@ -329,6 +366,7 @@ ____
 
 **Dependencies:**  
 >
+> * privileged rights
 > * [wireguard](https://www.wireguard.com/) (tested version 1.0.2 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * [qrencode](https://github.com/fukuchi/libqrencode) (tested version 4.1.1 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))
 > * [grepcidr](https://github.com/ryantig/grepcidr) (tested version 2.0 on [Debian GNU/Linux 11](http://ftp.debian.org/debian/dists/bullseye/))

ovpn-cert-expiration.sh

@@ -0,0 +1,149 @@
+#! /bin/bash
+
+# DESCRIPTION:
+#   checking openvpn server certificates expiration
+#   and
+#   preparing stats for monitoring
+#
+# DEPENDENCIES:
+#   - privileged rights
+#   - openssl
+#
+# PARAMETERS:
+#   1: "qn" - execution without pauses
+#   2: openvpn server config file path
+#
+# FUNCTIONS:
+#
+
+#######################################
+# Print message and add to log.
+# Globals:
+#   logs
+# Arguments:
+#   1: message to print and logging
+#######################################
+addtologs() {
+  echo "$(date +'%Y.%m.%d-%H:%M:%S') $1" | tee -a "${logs}"
+}
+
+#######################################
+# Waiting for press [ENTER].
+# Globals:
+#   None
+# Arguments:
+#   None
+#######################################
+execpause() {
+  read -r -p "Press [ENTER] to continue... "
+}
+
+#######################################
+# Exit procedure.
+# Globals:
+#   show
+# Arguments:
+#   None
+#######################################
+execquite() {
+  addtologs "execution time is $(($(date +%s)-time)) seconds, exit"
+  if [ "${show}" != "qn" ]; then
+    execpause
+  fi
+  exit
+}
+
+#######################################
+# Error exit procedure
+# Globals:
+#   None
+# Arguments:
+#   1: message to print and logging
+#######################################
+execerror() {
+  addtologs "error: $1"
+  execquite
+}
+
+#######################################
+# Parsing config file and creating global vars.
+# Globals:
+#   None
+# Arguments:
+#   None
+#######################################
+getconfig() {
+  cacrpath=$(grep ^ca "${conf}" | cut -d' ' -f2)
+  certpath=$(grep ^cert "${conf}" | cut -d' ' -f2)
+  statfile="$(dirname "$(grep ^log /etc/openvpn/server/server.conf | cut -d' ' -f2)")/$(basename -s .sh "$0").log"
+}
+
+#######################################
+# Checking user rights.
+# Globals:
+#   None
+# Arguments:
+#   None
+# return:
+#   0 - if privileged rights, 1 - if not privileged rights
+#######################################
+checkroot() {
+  if [ "${EUID}" -ne 0 ]; then
+    return 1 # false
+  else
+    return 0 # true
+  fi
+}
+
+#######################################
+# Print certificate expiration date in epoch
+# Globals:
+#   None
+# Arguments:
+#   1: certificate path
+#######################################
+checkcert() {
+  printf '%s\n' "$(date -d "$(openssl x509 -text -noout -in "${1}" | grep 'Not After' | cut -d':' -f2-)" +%s)"
+}
+
+#
+# VARIABLES:
+#
+
+show=$1
+conf=$2
+logs=/dev/null
+if [ -z "${conf}" ] || [ "${conf}" == "-" ]; then
+  conf=/etc/openvpn/server/server.conf
+fi
+
+time=$(date +%s)
+cd "$(dirname "$(realpath "$0")")" || execerror
+if [ ! -e "${conf}" ]; then
+  execerror "${conf} not found"
+else
+  getconfig
+fi
+
+if ! command -v openssl &> /dev/null; then
+  execerror "Not found dependencies"
+fi
+
+#
+# MAIN:
+#
+
+if checkroot; then
+  cacrtime=$(checkcert "${cacrpath}")
+  certtime=$(checkcert "${certpath}")
+  cacrremain=$(( cacrtime - time ))
+  certremain=$(( certtime - time))
+  addtologs "${cacrpath} remains only ${cacrremain} seconds"
+  addtologs "${certpath} remains only ${certremain} seconds"
+  printf '%s\n' "ca=${cacrremain}" > "${statfile}"
+  printf '%s\n' "cert=${certremain}" >> "${statfile}"
+  addtologs  "stats wrote to ${statfile}"
+  execquite
+else
+  execerror "Restart this as root!"
+fi