ocserv: notify users about certificates about to expire

2025-08-12 10:59:02 +02:00 · 2025-08-12 10:59:02 +02:00 · 937c75e097
commit 937c75e097
parent 577c8c8849
3 changed files with 67 additions and 4 deletions
--- a/roles/ocserv/files/notify-expiring-certs
+++ b/roles/ocserv/files/notify-expiring-certs
@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+for cert in /var/lib/ocserv/certs/*.crt ; do
+        # get email
+        email="$(openssl x509 -noout -email -in "${cert}")"
+        if [ -z "${email}" ] ; then
+                # if emailAddress is not specified in certificate, assume CN is the email
+                email="$(openssl x509 -noout -subject -in "${cert}" | sed 's/^.* CN = \([^,]*\).*$/\1/')"
+        fi
+        if [ -z "${email}" ] ; then
+                # bail if we still don’t have an email to send to
+                continue
+        fi
+
+        # get number of days the certificate will remain valid for
+        end="$(openssl x509 -noout -dateopt iso_8601 -enddate -in "${cert}" | cut -d '=' -f 2)"
+        validity="$(( ($(date -d "${end}" +%s) - $(date +%s)) / 86400 ))"
+
+        # send notice 14 and 7 days before expiry
+        if [ "${validity}" -eq 14 ] || [ "${validity}" -eq 7 ] ; then
+                /usr/sbin/sendmail -t <<EOF
+To: ${email}
+Bcc: root
+Date: $(date -R)
+Subject: Potek certifikata za FRI VPN
+
+Spoštovani,
+
+čez ${validity} dni bo potekel FRI VPN certifikat za ${email}. Če dostop še potrebujete, kontaktirajte RC FRI za podaljšanje.
+
+Lep pozdrav,
+RC FRI
+
+///
+
+Hello,
+
+in ${validity} days the FRI VPN certificate for ${email} will expire. If you still need access, contact RC FRI for renewal.
+
+Best regards,
+RC FRI
+EOF
+        fi
+done
--- a/roles/ocserv/meta/main.yml
+++ b/roles/ocserv/meta/main.yml
@ -1,2 +1,3 @@
 dependencies:
-  - role: nginx
+  - role: nginx # for certificate renewal
+  - role: opensmtpd # for certificate expiry notifications
--- a/roles/ocserv/tasks/main.yml
+++ b/roles/ocserv/tasks/main.yml
@ -1,6 +1,7 @@
 - name: Install packages
  package:
    name:
+      - coreutils # for date
      - netmask # for ocserv-script
      - ocserv
    install_recommends: false # don’t install dnsmasq for whatever reason
@ -34,13 +35,14 @@
    state: directory
    owner: ocserv
    group: ocserv
+    mode: "0700"

 # this script allows routing from the client to their networks on connection
 - name: Install ocserv firewall script
  copy:
    dest: /usr/local/bin/
    src: ocserv-script
-    mode: 755
+    mode: "0755"

 - name: Configure ocserv
  template:
@ -64,7 +66,7 @@
  copy:
    dest: /etc/letsencrypt/renewal-hooks/deploy/
    src: reload-ocserv.sh
-    mode: 0755
+    mode: "0755"

 - name: Create ocserv service override directory
  file:
@ -72,7 +74,7 @@
    state: directory
    owner: root
    group: root
-    mode: 0755
+    mode: "0755"

 - name: Set ocserv to start after network is online
  copy:
@ -89,3 +91,17 @@
    value: 1
    sysctl_file: /etc/sysctl.d/99-local.conf
    sysctl_set: true
+
+- name: Install user certificate expiry notification script
+  copy:
+    dest: /usr/local/bin/
+    src: notify-expiring-certs
+    mode: "0755"
+
+- name: Schedule user certificate expiry notification script
+  cron:
+    name: "notify users with expiring certificates"
+    job: "/usr/local/bin/notify-expiring-certs"
+    user: ocserv
+    hour: "6"
+    minute: "26"