Debian Bug report logs - #647939
RFP: certwatch -- generate SSL certificate expiry warnings

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: "Karl O. Pinc" <kop@meme.com>

Date: Mon, 7 Nov 2011 21:24:13 UTC

Severity: wishlist

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#647939; Package wnpp. (Mon, 07 Nov 2011 21:24:16 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Karl O. Pinc" <kop@meme.com>:
New Bug report received and forwarded. Copy sent to wnpp@debian.org. (Mon, 07 Nov 2011 21:24:16 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Karl O. Pinc" <kop@meme.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: RFP: certwatch -- generate SSL certificate expiry warnings
Date: Mon, 07 Nov 2011 15:22:40 -0600
Package: wnpp
Severity: wishlist

This is handy.  I wrote my own, but why re-invent the wheel?

DESCRIPTION
       The certwatch program is used to issue warning mail when an SSL
       certificate is about to expire.

It's part of the RH crypto-utils package.  This includes genkey:

DESCRIPTION
       genkey is an interactive command-line tool which can be used to
       generate SSL certificates or Certificate Signing Requests (CSR).

which might also be handy.  (I tend use the easy-rsa tool that's part
of openvpn.)  If you do include genkey you might consider using the
crypto-utils package name and keep things more or less in sync with
RH.


* Package name    : certwatch
  Version         : 2.4.1
  Upstream Author : RedHat, Inc.
* URL             : https://admin.fedoraproject.org/pkgdb/acls/name/crypto-utils
* License         : GPLv2 with SSL exception, perhaps others for genkey
  Programming Lang: C, but genkey is perl
  Description     : generate SSL certificate expiry warnings

The certwatch program is used to issue warning mail when an SSL
certificate is about to expire.




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#647939; Package wnpp. (Wed, 09 Nov 2011 21:42:45 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Karl O. Pinc" <kop@meme.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 09 Nov 2011 21:42:45 GMT) Full text and rfc822 format available.

Message #10 received at 647939@bugs.debian.org (full text, mbox):

From: "Karl O. Pinc" <kop@meme.com>
To: 647939@bugs.debian.org
Subject: The /etc/cron.daily/certwatch script looks useful too
Date: Wed, 09 Nov 2011 15:07:20 -0600
Hi,

The RH cron.daily script queries httpd (apache) for
certificates to check.  So this is handy too -- if the only
certs are for apache.

Regards,

Karl <kop@meme.com>
Free Software:  "You don't pay back, you pay forward."
                 -- Robert A. Heinlein





Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#647939; Package wnpp. (Tue, 05 Feb 2013 09:27:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Joachim Breitner <nomeata@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 05 Feb 2013 09:27:06 GMT) Full text and rfc822 format available.

Message #15 received at 647939@bugs.debian.org (full text, mbox):

From: Joachim Breitner <nomeata@debian.org>
To: 647939@bugs.debian.org
Cc: "Karl O. Pinc" <kop@meme.com>
Subject: Re: RFP: certwatch -- generate SSL certificate expiry warnings
Date: Tue, 05 Feb 2013 10:23:27 +0100
[Message part 1 (text/plain, inline)]
Hi,

today I was thinking about implementing a similar tool, and uploading it
to Debian. I’d done a few things differently:
 * I’d simply process all certificates found in /etc, i.e. every file
called .pem or .crt that seems to be a SSL certificate. This way, certs
used by mail and jabber servers are also found.
 * I’d send a report only if any cert is about to expire, but in that
case, send one mail containing every cert that is about to expire;
likely several certs expire together. And just for good measure, the
report would include the times to expiration for all found certs, to
give the admin a better overview of what certs are there (and what certs
are found).
 * I’d include a nagios-check-compatible invocation as well.
 * I’d not run a daily check for things that expire in a month; weekly
sounds more useful here.

If these would be added to certwatch I’d be interested in maintaining
them for Debian.

Greetings,
Joachim

-- 
Joachim "nomeata" Breitner
Debian Developer
  nomeata@debian.org | ICQ# 74513189 | GPG-Keyid: 4743206C
  JID: nomeata@joachim-breitner.de | http://people.debian.org/~nomeata

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#647939; Package wnpp. (Tue, 05 Feb 2013 11:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Carlos Alberto Lopez Perez <clopez@igalia.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 05 Feb 2013 11:57:03 GMT) Full text and rfc822 format available.

Message #20 received at 647939@bugs.debian.org (full text, mbox):

From: Carlos Alberto Lopez Perez <clopez@igalia.com>
To: Joachim Breitner <nomeata@debian.org>, 647939@bugs.debian.org
Cc: "Karl O. Pinc" <kop@meme.com>
Subject: Re: Bug#647939: RFP: certwatch -- generate SSL certificate expiry warnings
Date: Tue, 05 Feb 2013 12:52:29 +0100
[Message part 1 (text/plain, inline)]
On 05/02/13 10:23, Joachim Breitner wrote:
> Hi,
> 
> today I was thinking about implementing a similar tool, and uploading it
> to Debian. I’d done a few things differently:
>  * I’d simply process all certificates found in /etc, i.e. every file
> called .pem or .crt that seems to be a SSL certificate. This way, certs
> used by mail and jabber servers are also found.
>  * I’d send a report only if any cert is about to expire, but in that
> case, send one mail containing every cert that is about to expire;
> likely several certs expire together. And just for good measure, the
> report would include the times to expiration for all found certs, to
> give the admin a better overview of what certs are there (and what certs
> are found).
>  * I’d include a nagios-check-compatible invocation as well.
>  * I’d not run a daily check for things that expire in a month; weekly
> sounds more useful here.
> 
> If these would be added to certwatch I’d be interested in maintaining
> them for Debian.
> 
> Greetings,
> Joachim
> 

I have a shell script that I have been using for a while on my servers
with success.

I drop it on /etc/cron.weekly and configure the directories to scan and
the mail address to send the notifications.

It just checks the certificates that are going to expire in the next 30
days (with openssl) and sends a warning.


I attach it here, just in case you or anybody else find it useful.


Regards!
[checkcertsexpiration (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 11:26:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.