aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--.gitignore1
-rw-r--r--README.md32
-rwxr-xr-xfreeipa-cert-alert.py63
3 files changed, 96 insertions, 0 deletions
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bee8a64
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+__pycache__
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..70cf3e4
--- /dev/null
+++ b/README.md
@@ -0,0 +1,32 @@
+# Readme for freeipa-cert-alert
+
+## Overview
+Freeipa-cert-alert is a small project that lists the certificates from an IPA server that will expire soon. The idea is to pass the output to a mail or logging utility.
+
+## Using
+You configure it with environment variables at runtime, including:
+
+* `FREEIPA_SERVER`
+* `FREEIPA_USERNAME`
+* `FREEIPA_PASSWORD`
+* `DAYS`
+
+For some reason, domain name does not suffice as the server name. You must pick a server name. This is discoverable in a properly-functioning Kerberos domain with:
+
+ dig +short -t srv _ldap._tcp.yourdomain.com | awk '{print $4}'
+
+## Upstream
+[This repository](https://gitlab.com/bgstack15/freeipa-cert-alert) is the original.
+
+## Alternatives
+Examine the output of `ipa cert-find` manually. Otherwise, I found no examples that do what I do here.
+
+## Dependencies
+
+### RPMs
+* python3-freeipa
+
+## References
+
+## Differences from upstream
+N/A
diff --git a/freeipa-cert-alert.py b/freeipa-cert-alert.py
new file mode 100755
index 0000000..cd757ea
--- /dev/null
+++ b/freeipa-cert-alert.py
@@ -0,0 +1,63 @@
+#!/usr/bin/env python3
+# File: alert.py
+# Location: https://gitlab.com/bgstack15/freeipa-cert-alert
+# Author: bgstack15
+# Startdate: 2021-10-27 14:00
+# SPDX-License-Identifier: GPL-3.0
+# Title: Script that Alerts For Expiring Certs
+# Purpose: Send me alerts for certs that are about to expire
+# History:
+# Usage:
+# Set env: FREEIPA_SERVER FREEIPA_USERNAME FREEIPA_PASSWORD DAYS
+# References:
+# https://python-freeipa.readthedocs.io/en/latest/
+# https://stackoverflow.com/questions/72899/how-do-i-sort-a-list-of-dictionaries-by-a-value-of-the-dictionary/73050#73050
+# https://stackoverflow.com/questions/6871016/adding-days-to-a-date-in-python/6871482#6871482
+# https://stackoverflow.com/questions/24027863/convert-a-utc-time-to-epoch
+# https://stackoverflow.com/questions/9989334/create-nice-column-output-in-python/9996049#9996049
+# Improve:
+# Dependencies:
+# Somehow this is not a requisite component of freeipa! Those are named python3-ipa*
+# fedora-req: python3-freeipa
+
+import python_freeipa, json, datetime, os, sys
+import dateutil.parser as dparser
+
+# Functions
+def show_list(inlist):
+ col1max = 0
+ col2max = 0
+ col3max = 0
+ for i in inlist:
+ col1max = max(len(i['valid_not_before']),col1max)
+ col2max = max(len(i['valid_not_after']),col2max)
+ col3max = max(len(i['subject']),col3max)
+ col1max = col1max+2
+ col2max = col2max+2
+ if len(inlist) > 0:
+ a = "Not valid before"
+ b = "Not valid after"
+ c = "Subject"
+ print(f"{a:<{col1max}} {b:<{col2max}} {c:<{col3max}}")
+ for i in inlist:
+ print(f"{i['valid_not_before']:<{col1max}} {i['valid_not_after']:<{col2max}} {i['subject']:<{col3max}}")
+
+# Main
+DAYS = os.getenv("DAYS",default=60)
+try:
+ DAYS = int(DAYS)
+except:
+ DAYS = 60
+
+client = python_freeipa.ClientMeta(os.getenv("FREEIPA_SERVER"))
+client.login(os.getenv("FREEIPA_USERNAME"),os.getenv("FREEIPA_PASSWORD"))
+
+today = str(datetime.date.today( ))
+future = str(datetime.date.today() + datetime.timedelta(days=DAYS))
+results = client.cert_find(o_validnotafter_from=today,o_validnotafter_to=future)
+certs = results['result']
+# Sort
+certs = sorted(certs,key=lambda d: int(dparser.parse(d['valid_not_after']).strftime('%s')))
+if len(certs) > 0:
+ print(f"Certificates expiring within {DAYS} days from {today}")
+show_list(certs)
bgstack15