ocserv: notify users about certificates about to expire

roles/ocserv/files/notify-expiring-certs

@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+for cert in /var/lib/ocserv/certs/*.crt ; do
+        # get email
+        email="$(openssl x509 -noout -email -in "${cert}")"
+        if [ -z "${email}" ] ; then
+                # if emailAddress is not specified in certificate, assume CN is the email
+                email="$(openssl x509 -noout -subject -in "${cert}" | sed 's/^.* CN = \([^,]*\).*$/\1/')"
+        fi
+        if [ -z "${email}" ] ; then
+                # bail if we still don’t have an email to send to
+                continue
+        fi
+
+        # get number of days the certificate will remain valid for
+        end="$(openssl x509 -noout -dateopt iso_8601 -enddate -in "${cert}" | cut -d '=' -f 2)"
+        validity="$(( ($(date -d "${end}" +%s) - $(date +%s)) / 86400 ))"
+
+        # send notice 14 and 7 days before expiry
+        if [ "${validity}" -eq 14 ] || [ "${validity}" -eq 7 ] ; then
+                /usr/sbin/sendmail -t <<EOF
+To: ${email}
+Bcc: root
+Date: $(date -R)
+Subject: Potek certifikata za FRI VPN
+
+Spoštovani,
+
+čez ${validity} dni bo potekel FRI VPN certifikat za ${email}. Če dostop še potrebujete, kontaktirajte RC FRI za podaljšanje.
+
+Lep pozdrav,
+RC FRI
+
+///
+
+Hello,
+
+in ${validity} days the FRI VPN certificate for ${email} will expire. If you still need access, contact RC FRI for renewal.
+
+Best regards,
+RC FRI
+EOF
+        fi
+done