SSL certificate expiration check has been added to the daily maintenance.

2026-02-16 20:20:19 +01:00
parent 3963be4ce5
commit 3827481a0a
4 changed files with 1065 additions and 3 deletions
--- a/tools/check_certificates
+++ b/tools/check_certificates
@@ -0,0 +1,95 @@
+#!/bin/bash
+#
+# A humble script to check the expiration of this web service certificates.
+# It uses the ssl-cert-check worker utility, which should be somewhere in path.
+# Sends an email notification when any certificate is about to expire.
+# See https://github.com/Matty9191/ssl-cert-check for details.
+#
+# Author: Kovács Zoltán <kovacsz@marcusconsulting.hu>
+# 2026-02-16 v0.1 Initial release
+
+# Accepted environment variables and their defaults.
+PAR_BASEDIR=${PAR_BASEDIR:-""}                  # Service's base folder
+
+# Other initialisations.
+ALERTEMAIL="$USER@$HOSTNAME"			# Alert notification recipient
+ALERTEXPIRY=14					# Days to alert before expiry
+CERTFILES="-name *.cer -o -name *.crt -o -name *.pem"
+CERTFOLDERS="configs/acme configs/certs"	# Files and folders to check
+WORKERNAME="ssl-cert-check"			# The 3rd party worker script
+YMLFILE="docker-compose.yml"
+
+# Messages.
+MSG_MISSINGDEP="Fatal: missing dependency"
+MSG_MISSINGYML="Fatal: didn't find the docker-compose.yml file"
+
+# Basic environment settings.
+LANG=C
+LC_ALL=C
+
+# Checks the dependencies.
+TR=$(which tr 2>/dev/null)
+if [ -z "$TR" ]; then echo "$MSG_MISSINGDEP tr."; exit 1 ; fi
+for item in basename dirname find readlink
+do
+    if [ -n "$(which $item)" ]
+    then export $(echo $item | "$TR" '[:lower:]' '[:upper:]' | "$TR" '-' '_')=$(which $item)
+    else echo "$MSG_MISSINGDEP $item." >&2; exit 1; fi
+done
+# All dependencies are available via "$THECOMMAND" (upper case) call.
+
+# Where I'm?
+# https://gist.github.com/TheMengzor/968e5ea87e99d9c41782
+SOURCE="${BASH_SOURCE[0]}"
+while [ -h "$SOURCE" ]; do
+    # resolve $SOURCE until the file is no longer a symlink
+    SCRPATH="$( cd -P "$( "$DIRNAME" "$SOURCE" )" && pwd )" #"
+    SOURCE="$("$READLINK" "$SOURCE")"
+    # if $SOURCE was a relative symlink, we need to resolve it
+    # relative to the path where the symlink file was located
+    [[ $SOURCE != /* ]] && SOURCE="$SCRPATH/$SOURCE"
+done; SCRPATH="$( cd -P "$( "$DIRNAME" "$SOURCE" )" && pwd )" #"
+SCRFILE="$("$BASENAME" "$(test -L "$0" && "$READLINK" "$0" || echo "$0")")" #"
+
+# Searches the base folder, containing a docker-compose.yml file.
+# Called from the base folder (./)?
+BASE_DIR="$PAR_BASEDIR"
+TEST_DIR="$SCRPATH"
+[[ -z "$BASE_DIR" ]] && [[ -r "$TEST_DIR/$YMLFILE" ]] && BASE_DIR="$TEST_DIR"
+# Called from ./tools?
+TEST_DIR="$("$DIRNAME" "$TEST_DIR")"
+[[ -z "$BASE_DIR" ]] && [[ -r "$TEST_DIR/$YMLFILE" ]] && BASE_DIR="$TEST_DIR"
+# Called from ./tools/*.d?
+TEST_DIR="$("$DIRNAME" "$TEST_DIR")"
+[[ -z "$BASE_DIR" ]] && [[ -r "$TEST_DIR/$YMLFILE" ]] && BASE_DIR="$TEST_DIR"
+# On failure gives it up here.
+if [ -z "$BASE_DIR" -o ! -r "$BASE_DIR/$YMLFILE" ]; then
+    echo "$MSG_MISSINGYML" >&2; exit 1
+fi
+
+# Locates the worker script.
+WORKERSCRIPT="$SCRPATH/$WORKERNAME"
+[[ ! -x "$WORKERSCRIPT" ]] && WORKERSCRIPT="$(which "$WORKERNAME")"
+[[ ! -x "$WORKERSCRIPT" ]] \
+&& echo -e "$MSG_MISSINGDEP $WORKERNAME." >&2 \
+&& exit 1
+
+# Collects the certificates to be check.
+certificates=""
+for folder in $CERTFOLDERS ""
+do
+    if [ -n "$folder" ]; then
+	certificates+="$("$FIND" "$BASE_DIR/$folder" \( $CERTFILES  \) 2>/dev/null) "
+    fi
+done
+
+# Enumerates and checks the collected certificates.
+# Sends an email notification when expiration is approaching.
+for cert in $certificates ""
+do
+    if [ -n "$cert" ]; then
+	"$WORKERSCRIPT" -c "$cert" -x $ALERTEXPIRY -qae "$ALERTEMAIL"
+    fi
+done
+
+# That's all, Folks! :)
--- a/tools/maintenance_daily
+++ b/tools/maintenance_daily
@@ -10,8 +10,10 @@
 # Author: Kovács Zoltán <kovacs.zoltan@smartfront.hu>
 #         Kovács Zoltán <kovacsz@marcusconsulting.hu>
 # License: GNU/GPL v3+ (https://www.gnu.org/licenses/gpl-3.0.en.html)
+# 2026-02-16 v1.1
+# new: It now also calls the SSL web certificate expiration checker utility.
 # 2023-06-18 v1.0
-# new: forked from the "Smartfront's DOCKER_skeleton" repository.
+# new: Forked from the "Smartfront's DOCKER_skeleton" repository.
 # 2021-09-14 v0.2
 # add: Checks the SSL web certificate (if any), renews it if necessary.
 # 2021-09-01 v0.1 Initial release
@@ -24,7 +26,7 @@
 # Where I'm?
 SCRPATH="$( cd -P "$( "$(which dirname)" "$0" )" && echo "$PWD" )"

-# Checks the SSL web certificate, renews it if necessery.
+# Checks the ACME-handled SSL web certificates, renews them if necessery.
 #
 # Uses the acme wrapper script located in the same directory.
 ACME="$SCRPATH/acme"
@@ -32,7 +34,17 @@ ACMELOG="$($(which dirname) "$SCRPATH")/logs/web/acme.log"
 if [ -n "$ACME" -a -x "$ACME" ]; then
    "$ACME" --cron >> "$ACMELOG" 2>&1
 fi
-# Done with the certificate.
+# Done with the ACME certificates.
+
+# Checks all SSL web certificates (ACME-handled or not) for expiration.
+# Checks the expiration of all certificates (including ACME-handled
+# and non-handled ones).
+#
+CHECKCERT="$SCRPATH/check_certificates"
+if [ -n "$CHECKCERT" -a -x "$CHECKCERT" ]; then
+    "$CHECKCERT"
+fi
+# Done with certificates.

 # Daily backup operations.
 #