> On Sep 11, 2017, at 5:21 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>
> Does anyone know a way to detect if the certificate currently being used by
> Postfix and/or Dovecot is nearing expiry (esp. in case they haven't picked up
> the updated letsencrypt certificate)?
See below for OpenSSL 1.0.2 or later. Earlier versions don't
have the "-verify_hostname" option, you can delete it if you
like, and omit that part of the certificate check, in which
case the code will also work for OpenSSL 1.0.1 and earlier
(which are EOL).
--
Viktor.
#! /bin/bash
if [ $# -lt 3 -o $# -gt 4 ]; then
printf "Usage: %s <CAfile> <days> <host> [port]\n" "$0" >&2
exit 1
fi
# default
port=587
trusted=$1; shift
days=$1; shift
host=$1; shift
if [ $# -gt 0 ]; then port=$1; shift; fi
detail=$(
(
raw=$(
(sleep 2; printf "QUIT\r\n") |
openssl s_client -connect "$host:$port" -starttls smtp \
-CAfile "$trusted" \
-servername "$host" \
-verify 9 \
-verify_return_error \
-verify_hostname "$host" \
-showcerts 2>&3
)
if [ $? -ne 0 ]; then
printf -- "%s\n" "$raw" >&3
printf -- "SSL handshake failed\n" >&3
exit 1
fi
chain=$(
printf -- "%s\n" "$raw" | tee /dev/fd/3 |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs
)
if [ -z "$chain" ]; then
printf "Error getting server chain\n" >&2; exit 1
else
# Sadly, verify(1) prior to OpenSSL 1.1.0 did not return
# meaningful exit codes. So we look instead for output
# lines that start with "error".
#
openssl verify \
-trusted "$CAfile" \
-attime $(( $(date +%s) + 86400 * $days )) \
-untrusted <(printf -- "%s\n" "$chain") \
<(printf -- "%s\n" "$chain") 2>&1 | tee /dev/fd/3 |
if grep -i '^error' >/dev/null; then
printf -- "Verification failed\n" >&2; exit 1
fi
fi
) 3>&1
)
if [ $? -ne 0 ]; then printf -- "%s\n" "$detail"; exit 1; fi
