Skip to content
/ chkexp Public

Utility to assist in keeping track of validity of TLS certificates and DNSSEC signatures

License

GPL-2.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

fsoderblom/chkexp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
chkexp
chkexp
 
 
chkexp.conf
chkexp.conf
 
 
dnssec-chkexp
dnssec-chkexp
 
 
tls-chkexp
tls-chkexp
 
 

Repository files navigation

chkexp

Utility to assist in keeping track validity of TLS certificates and DNSSEC signatures

How to install

Copy files

Copy relevant files to /opt/chkexp/bin and ensure correct owner and permission

# mkdir -p /opt/chkexp/bin
# cp chkexp dnssec-chkexp tls-chkexp /opt/chkexp/bin
# chmod -R 555 /opt/chkexp
# chown -R root:root /opt/chkexp

Add checks

Copy the distributed example file, chkexp.conf, to /etc/opt/chkexp/chkexp.conf and modify it to add the checks you need.

# cp chkexp.conf /etc/opt/chkexp/chkexp.conf

To add a check for a TLS certificate on a SMTP MTA and to check the validity of DNSSEC signature on a zone, one might add something like

%CFG = (
    'DNSSEC' => {
        'domain.se' => {
            'threshold'  => '24',
            'contact'    => '[email protected]',
        }
    },
    'SMTP' => {
        'domain.se' => {
            'threshold'  => '30',
            'contact'    => '[email protected],[email protected]',
        },
        'smtp.domain.se' => {
            'threshold'  => '30',
            'contact'    => '[email protected],[email protected]',
            'type'       => 'host',
        },
    }
);

The "type" directive is optional and defaults to 'mx' if it is missing from the configuration.

Make sure to check validity of the file afterward by issuing a "perl -c ./chkexp.conf", it should say something like

$ perl -c ./chkexp.conf
./chkexp.conf syntax OK

Create a harmless user

In our example we create a mostly harmless user called "chkexp" to run the checks.

# useradd chkexp

crontab entry

Create a crontab entry for the new user, to run the "chkexp" script at least once a day, the example below will run the check once every day at 7:05am in the morning.

# crontab -u chkexp <<!EOF!
# m h  dom mon dow   command
5 7 * * * /opt/chkexp/bin/chkexp --alert >/dev/null 2>&1
!EOF!

Test the installation

Do a manual test to see that everything is working as expected

$ /opt/chkexp/bin/chkexp -v domain.se
Running test "/opt/chkexp/bin/dnssec-chkexp  -v --warn=24 domain.se" -- passed
domain.se is delegated to a.dns.se (10.20.30.19)
domain.se is delegated to c.dns.se (10.30.40.2)
domain.se is delegated to b.dns.se (192.168.100.95)
10.20.30.19: zone "domain.se" verified with signature made with key 61821.
10.30.40.2: zone "domain.se" verified with signature made with key 61821.
192.168.100.95: zone "domain.se" verified with signature made with key 61821.

Running test "/opt/chkexp/bin/tls-chkexp  -v --warn=30 --delay=0 domain.se" -- passed
INFO: Certificate expires in 586 days. (expires on Sep 25 06:40:08 2016 GMT)

Running test "/opt/chkexp/bin/tls-chkexp  -v --warn=30 --type=mx --delay=0 --smtp domain.se" -- passed
INFO: Certificate expires in 586 days. (expires on Sep 25 06:40:08 2016 GMT)

Done

If you reached this far, you should be done.

Contributors

Victor Johansson

About

Utility to assist in keeping track of validity of TLS certificates and DNSSEC signatures

Resources

Readme

License

GPL-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages