#!/usr/bin/env bash
#
# check X.509 cert for a domain:port with openssl, for correspondance and expiration
# + by default the port is 443
# + there is a timeout of 6 sec and is there is no connectivity the check is skipped
#
# requirements: sudo apt install openssl
# GENERAL ###########################################################
# locale env
unset LC_ALL
export LC_MESSAGES=C
# check if module was disabled
module_disable=${module_tls_disable:=0}
if (($module_disable == 1)); then
exit 1
fi
# colors
c_txt=${c_txt:="39"}
c_txt_emphase=${c_txt_emphase:="35"}
c_txt_deco=${c_txt_deco:="97"}
c_txt_invert=${c_txt_invert:="30"}
c_bg=${c_bg_sec:="47"}
c_danger=${c_danger:="31"}
c_warning=${c_warning:="33"}
c_success=${c_success:="32"}
c_title=${c_title:="${c_bg};1;${c_txt_invert}m"}
# api website name for plain public IP4/6 check
publicip_api=${global_publicip_api:="icanhazip.com"}
# OPTIONS ###########################################################
# domains:ports input
if [[ $module_tls_domains ]]
then
tls_domains=(${module_tls_domains[@]})
else
tls_domains=("www.google.com" "smtp.gmail.com:465")
fi
IFS=$'\n' tls_domains=($(sort <<<"${tls_domains[*]}"))
unset IFS
# PREPARATIONS ######################################################
# print loading message
echo -e "\nWaiting for TLS checks\e[5m...\e[0m"
# parse output
output=" \e[1;4;${c_txt}mDomain\e[24m|\e[4mPort\e[24m|\e[4mValid until\e[0m"
currentTime=$(date +%s)
# check if there is internet connectivity
INTERNET_OUT=0
PUBLICIP="$(timeout 6 curl -s $publicip_api 2>/dev/null)"
if [[ ! $PUBLICIP ]]; then
INTERNET_OUT=1
fi
# OUTPUT ############################################################
for domain in "${tls_domains[@]}"
do
if [[ $domain == *:* ]]
then
port=${domain/*:/}
domain=${domain/:*/}
else
port="443"
fi
if [[ $INTERNET_OUT == 0 ]]; then
# fetch cert
cert=""
cert=$(timeout 6 openssl s_client -servername ${domain} -connect ${domain}:${port} < /dev/null 2>/dev/null)
# fetch subject name with a 3 sec timeout
certSubj=$(echo -e "$cert" | openssl x509 -noout -subject 2>/dev/null)
# fetch expiration time
certTime=$(echo -e "$cert" | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
certLineTime=$(date -d "${certTime}" +"%F")
certTimestamp=$(date -d "${certTime}" +%s)
port="\e[${c_txt}m${port}\e[0m"
# check subject name with a 3 sec timeout
if [[ $certSubj == *${domain} ]]
then
domain="\e[${c_txt}m${domain}\e[0m"
# check expiration time - 3 days
if [[ "$((${certTimestamp} - 259200 ))" -ge "${currentTime}" ]]
then
sign="\e[${c_success}m●\e[0m"
result="\e[1;${c_success}m$certLineTime\e[0m"
# check expiration time today
elif [[ "${certTimestamp}" -ge "${currentTime}" ]]
then
sign="\e[1;${c_warning}m▲\e[0m"
result="\e[1;${c_warning}m${certLineTime}\e[0m"
else
sign="\e[1;5;${c_danger}m▲\e[0m"
result="\e[1;${c_danger}m$certLineTime\e[0m"
fi
else
domain="\e[${c_txt}m${domain}\e[0m"
sign="\e[1;2;${c_warning}m\U25B2\e[0m"
result="\e[1;2;${c_warning}mtimeout or misnamed\e[0m"
fi
elif [[ $INTERNET_OUT == 1 ]]; then
domain="\e[${c_txt}m${domain}\e[0m"
sign="\e[1;2;${c_txt}m▲\e[0m"
result="\e[1;2;${c_txt}mno internet, skipped\e[0m"
fi
output+="\n ${sign} ${domain}|${port}|$result"
done
# output header and table content
echo -e "\e[1A\e[${c_title} TLS checks \e[0m "
echo -e
echo -e "$output" | column -t -s '|'