Monitor freeipa certificate expirations
Project freeipa-cert-alert
Overview
Freeipa-cert-alert is a small project that lists the certificates from an IPA server that will expire soon. The idea is to pass the output to a mail or logging utility.
I wanted to manipulate the objects coming from freeipa more directly than parsing the textual output (which is not a terrible way to do it), because I know that FreeIPA is a Python project. Come to find out, the python3-freeipa package is not a core part of freeipa, which uses python-ipa* package names. But python3-freeipa provides the suitable commands that return useful objects we can iterate through.
Even the cert_find() implementation lets you pick start and stop times for the validity period, which is most of the work involved.
I also devised some dirty tricks to columnize the output.
Using freeipa-cert-alert
You configure it with environment variables at runtime, including:
FREEIPA_SERVERFREEIPA_USERNAMEFREEIPA_PASSWORDDAYS
For some reason, domain name does not suffice as the server name. You must pick a server name. This is discoverable in a properly-functioning Kerberos domain with:
dig +short -t srv _ldap._tcp.yourdomain.com | awk '{print $4}'
Example
$ DAYS=180 ./freeipa-cert-alert.py
Certificates expiring within 180 days from 2021-10-27
Not valid before Not valid after Subject
Thu Jan 16 21:18:28 2020 UTC Sun Jan 16 21:18:28 2022 UTC CN=d2-02a.ipa.example.com,O=IPA.EXAMPLE.COM
Upstream
My gitlab repo is the source.
Alternatives
Examine the output of ipa cert-find manually. Otherwise, I found no examples that do what I do here.
Comments