我有一个脚本来检查证书(.cer 文件)是否在 14 天内过期,如果是,它将存档旧的证书请求,生成一个新的,并将其发送到中间件团队。但是,这个想法出现了,如果这个脚本每晚午夜在 cron 上运行,是什么阻止它在日期范围内的每个后续晚上(在证书到期后 14 天内)向中间件团队发送另一个证书请求?
我想检查 .csr 文件上的时间戳,它在证书(.cer 文件)到期后的 14 天内被替换或修改,然后什么都不做,否则存档 csr、gencsr、mailcsr。这是脚本的主要例程:
if python -c "
import datetime
import sys
current_time = datetime.datetime.now()
key_time = datetime.datetime.strptime(sys.argv[1], '%b %d %Y')
difference = key_time - current_time
sys.exit(0 if difference.days < 14 else 1)
" "$( keytool -printcert -file "$1" | sed '4q;d' | awk '{print $11,$12,$15}' )";then archive;gencert;mail;else echo "Cert is still current";fi
我现在在
Oracle Linux Server release 7.9似乎下一步的行动是将 .cer 文件检查的输出保存到纪元时间的变量,将时间戳检查的输出保存到纪元时间的文件或标志文件,以及然后比较两者。
If timestamp on .csr is -gt (14 days of .cer expiring), then do nothing; else archive; gencsr; mailcsr; fi实现是这样的:
domain=`echo "$1" | sed 's/\.cer//'`
csr_time_stamp=$(<epoch time of modified date>)
cer_exp_date=$(<epoch time of .cer exp. date>)
if [ $csr_time_stamp > $cer_time_stamp ] && [ -f flagfiles/$domain.csr ];then echo $csr_time_stamp >> flagfiles/$domain.csr;else archivecsr; gencsr; mailcsr;fi
但是我仍然没有检查日期戳的标志文件,如果你每次都把两个日期都放在一个变量中,这是一个不必要的步骤吗?
keytool命令的输出:
keytool -printcert -file fqdn.domainname.com.cer | sed '4q;d' | awk '{print $11,$12,$15}'
Jan 24 2018
.csr文件上时间戳的输出:
stat fqdn.domainname.com.csr | grep Modify | awk '{print $2}'
2023-03-13
在@markp-fuso 的大力帮助下,这是我使用的代码:
domain=`echo "$1" | sed 's/\.cer//'`
OUTPUT_DIR=<obfuscated>
archive=<obfuscated>
# convert keytool/expire date to epoch; could probably streamline this a bit
keytool_dt=$(keytool -printcert -file "$1" | sed '4q;d' | awk '{print $11,$12,$15}') # eg: 'Jan 24 2018'
exp_dt=$(date -d "${keytool_dt}" "+%s") # convert to epoch seconds
# calculate number of secs in 14 day range
dt_range=$((14 * 60 * 60 * 24)) # 1209600
# current epoch - one of the following:
now_dt=$(date "+%s") # spawns a subprocess
#printf -v now_dt '%(%s)T' # does not spawn a subprocess; requires bash 3.1+
# last modification date of csr file, in epoch seconds
mod_dt=$(stat -c "%Y" "$domain".csr)
echo "domain.csr: $domain.csr"
echo "now_dt: $now_dt exp_dt: $exp_dt dt_range: $dt_range exp_dt: $exp_dt mod_dt: $mod_dt"
if (( $now_dt > ($exp_dt + $dt_range) )) # cert has, or will soon, expire
then
if (( ($now_dt - $mod_dt) > $dt_range )) # csr last mod date was more than 14 days ago
then
echo "cert expired: generate new csr"
else
echo "cert expired: new csr pending"
fi
else
echo "cert is valid"
fi
现在它起作用了,我不得不将
now_dtnow_dt: 1678893896
domain.csr: <obfuscated>.csr
now_dt: 1678893896 exp_dt: 1516780800 dt_range: 1209600 exp_dt: 1516780800 mod_dt: 1678767236
cert expired: new csr pending
一般方法:
date -dstat -c一种方法:
# convert keytool/expire date to epoch; could probably steamline this a bit
# but would need complete keytool output; for now we'll work with what OP
# has provided in the question:
keytool_dt=$(keytool | sed | awk) # eg: 'Jan 24 2018'
exp_dt=$(date -d "${keytool_dt}" "+%s") # convert to epoch seconds
# calculate number of secs in 14 day range
dt_range=$((14 * 60 * 60 * 24)) # 1209600
# current epoch - one of the following:
now_dt=$(date "+%s") # spawns a subprocess
printf -v now_dt '%(%s)T' # does not spawn a subprocess; requires bash 3.1+
# last modification date of csr file, in epoch seconds
mod_dt=$(stat -c "%Y" file.csr)
现在比较:
if (( now_dt > (exp_dt - dt_range) )) # cert has, or will soon, expire
then
if (( (now_dt - mod_dt) > dt_range )) # csr last mod date was more than 14 days ago
then
echo "cert expired: generate new csr"
else
echo "cert expired: new csr pending"
fi
else
echo "cert is valid"
fi
注意: