1
0
docker-letsencrypt-nginx-pr.../app/cert_status
2020-03-23 08:20:46 +01:00

75 lines
2.5 KiB
Bash
Executable File

#!/bin/bash
function print_cert_info {
local enddate
local subject
local san_str
# Get the wanted informations with OpenSSL.
issuer="$(openssl x509 -noout -issuer -in "$1" | sed -n 's/.*CN = \(.*\)/\1/p')"
enddate="$(openssl x509 -noout -enddate -in "$1" | sed -n 's/notAfter=\(.*$\)/\1/p')"
subject="$(openssl x509 -noout -subject -in "$1" | sed -n 's/.*CN = \([a-z0-9.-]*\)/- \1/p')"
san_str="$(openssl x509 -text -in "$1" | grep 'DNS:')"
echo "Certificate was issued by $issuer"
if [[ "$2" == "expired" ]]; then
echo "Certificate was valid until $enddate"
else
echo "Certificate is valid until $enddate"
fi
echo "Subject Name:"
echo "$subject"
# Display the SAN info only if there is more than one SAN domain.
while IFS=',' read -ra SAN; do
if [[ ${#SAN[@]} -gt 1 ]]; then
echo "Subject Alternative Name:"
for domain in "${SAN[@]}"; do
echo "$domain" | sed -n 's/.*DNS:\([a-z0-9.-]*\)/- \1/p'
done
fi
done <<< "$san_str"
}
echo '##### Certificate status #####'
for cert in /etc/nginx/certs/*/fullchain.pem; do
[[ -e "$cert" ]] || continue
if [[ -e "${cert%fullchain.pem}chain.pem" ]]; then
# Verify the certificate with OpenSSL.
if verify=$(openssl verify -CAfile "${cert%fullchain.pem}chain.pem" "$cert" 2>&1); then
echo "$verify"
# Print certificate info.
print_cert_info "$cert"
else
echo "${cert}: EXPIRED"
# Print certificate info.
print_cert_info "$cert" "expired"
fi
else
echo "${cert}: no corresponding chain.pem file, unable to verify certificate"
# Print certificate info.
print_cert_info "$cert"
fi
# Find the .crt files in /etc/nginx/certs which are
# symlinks pointing to the current certificate.
unset symlinked_domains
for symlink in /etc/nginx/certs/*.crt; do
[[ -e "$symlink" ]] || continue
if [[ "$(readlink -f "$symlink")" == "$cert" ]]; then
domain="${symlink%.crt}"
domain="${domain//\/etc\/nginx\/certs\//}"
symlinked_domains+=("$domain")
fi
done
# Display symlinks pointing to the current cert if there is any.
if [[ ${#symlinked_domains[@]} -gt 0 ]]; then
echo "Certificate is used by the following domain(s):"
for domain in "${symlinked_domains[@]}"; do
echo "- $domain"
done
fi
echo '##############################'
done