前提
總是后知后覺,總是后知后覺。目前的現狀是不論出現什么問題,都無法進行提前預警和在客戶未知前介入處理。早上偶然和研發經理交流時突發靈感,寫下此腳本,試圖以此為開始進行提前的預警。
從生產k8s集群拿到test.cn的證書,在預發環境做daemon案例。
daemon案例
# pwd
/yufa/zhengshu/test
ll
total 32
-rw-r--r-- 1 root wheel 465B 9 9 09:50 test-ingress.yaml
-rw-r--r-- 1 root wheel 711B 9 9 09:47 test.yaml
-rw-r--r-- 1 root wheel 3.5K 9 9 09:24 tls.crt
-rw-r--r-- 1 root wheel 1.6K 9 9 09:25 tls.key
# kubectl -n test create secret tls test-cn --key ./tls.key --cert ./tls.crt
# cat test.yaml
apiVersion: v1
kind: Service
metadata:
name: tomcat
namespace: test
spec:
selector:
app: tomcat
release: canary
ports:
- name: http
port: 8080
targetPort: 8080
- name: ajp
port: 8009
targetPort: 8009
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tomcat-deploy
namespace: test
spec:
replicas: 1
selector:
matchLabels:
app: tomcat
release: canary
template:
metadata:
labels:
app: tomcat
release: canary
spec:
containers:
- name: tomcat
image: tomcat:7-alpine
ports:
- name: httpd
containerPort: 8080
- name: ajp
containerPort: 8009
# cat test-ingress.yaml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: ingress-tomcat-tls
namespace: test
annotations:
kubernets.io/ingress.class: "kong"
spec:
tls:
- hosts:
- "*.test.cn" #與secret證書的域名需要保持一致
secretName: test-cn #secret證書的名稱
rules:
- host: zisefeizhu.test.cn
http:
paths:
- path:
backend:
serviceName: tomcat
servicePort: 8080
編寫檢測域名過期小腳本
話不多說直接懟腳本
# cat check_daemon.sh
#!/bin/bash
source /etc/profile
#定義郵件發送列表
maillist=(
lixxxxn@rxxxxx.com
#2xxxxxx860@qq.com
)
#發送郵件函數
send_mail(){
SUBJECT="$1域名即將到期"
if [ $2 -ge 0 ];then
CONTENT="$1:此域名即將到期,剩余時間已不足$2天,請及時續期!"
for mail in ${maillist[*]};do
echo -e ""當前檢測的域名:" $domain\n "剩余天數: " $days\n ${CONTENT} " | mail -s "${SUBJECT}" $mail
done
else
day=$((-$2))
CONTENT="$1:此域名已到期,已超出$day天,請及時續費!"
for mail in ${maillist[*]};do
echo -e "${CONTENT}" | mail -s "${SUBJECT}" $mail
done
fi
}
#檢測mails命令是否存在,不存在則安裝mail包
is_install_mail()
{
which mail &> /dev/null
if [ $? -ne 0 ];then
yum install -y mail
fi
}
is_install_mail
#定義需要被檢測的域名列表
domainlist=(
zisefeizhu.test.cn
)
#檢測域名到期時間並通知
for domain in ${domainlist[*]};do
echo "當前檢測的域名:" $domain
#取出域名過期時間
end_time=$(echo | timeout 1 openssl s_client -servername $domain -connect $domain:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null | awk -F '=' '{print $2}' )
([ $? -ne 0 ] || [[ $end_time == '' ]]) && exit 10
end_times=`date -d "$end_time" +%s `
tmp=`date -d today +"%Y-%m-%d %T"`
current_times=`date -d "$tmp" +"%s"`
let left_time=$end_times-$current_times
days=`expr $left_time / 86400`
echo "剩余天數: " $days
#轉換成時間戳
end_times=`date -d "$end_time" +%s `
#以時間戳的形式顯示當前時間
tmp=`date -d today +"%Y-%m-%d %T"`
current_times=`date -d "$tmp" +"%s"`
#域名到期剩余天數
let left_time=$end_times-$current_times
days=`expr $left_time / 86400`
echo "剩余天數: " $days
if [ $days -lt 100 ]; then
echo "https 證書有效期少於100天,存在風險"
send_mail $domain $days
fi
done
發送郵件設置
獲取網易雲郵箱授權碼
配置發送郵箱人信息
安裝postfix
# yum -y install postfix
# systemctl enable postfix
設置發送郵箱信息
# vim /etc/mail.rc
......
新增
set from=1xxxxxx91@163.com
set smtp=smtp.163.com
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXUxxxxExxCSQ
set smtp-auth=login
# systemctl start postfix
# echo "test" |mail -s "tesc message" 23xxxxx60@qq.com
could not connect: 連接超時
"/root/dead.letter" 11/308
. . . message not sent.
超時原因:阿里雲服務器關閉了25端口,發送郵件連接不上服務器的緣故,而且官方不允許打開該端口
網易163免費郵箱相關服務器信息:
所以除了換郵箱之外(端口不是25的,要么是國外不好申請,要么收費,摸摸口袋…)
以網易163郵箱為例,使用SSL下的465端口
請求數字證書
# mkdir -p /root/.certs/
# echo -n | openssl s_client -connect smtp.163.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA" -t "C,," -d ~/.certs -i ~/.certs/163.crt
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
修稿郵件發送人設置
# vim /etc/mail.rc
......
改增
set from=1xxxxxx91@163.com
set smtp=smtps://smtp.163.com:465
set smtp-auth-user=1xxxxxx91@163.com
set smtp-auth-password=ZXxxxGWRxxxCSQ
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/root/.certs
重啟測試
# systemctl restart postfix
# echo "test" |mail -s "title" linkun@xxxxx.com
登陸郵箱驗證
emmm。收到是收到了,但有個報錯
證書不被信任,且命令行就此卡住,需要按鍵才能出現命令提示符
# Error in certificate: Peer's certificate issuer is not recognized.
處理此問題
# cd /root/.certs/
# ll
總用量 80
-rw-r--r-- 1 root root 2415 9月 9 13:31 163.crt
-rw------- 1 root root 65536 9月 9 13:35 cert8.db
-rw------- 1 root root 16384 9月 9 13:35 key3.db
-rw------- 1 root root 16384 9月 9 13:31 secmod.db
# certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d ./ -i 163.crt
問題解決
測試daemon案例
執行腳本
sh check_daemon.sh
當前檢測的域名: zisefeizhu.test.cn
剩余天數: 73
剩余天數: 73
https 證書有效期少於100天,存在風險
驗證
👌!
定時任務
# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
#Timing execution /root/scripts/check_daemon.sh
0 2 * * * root sh /root/scripts/check_daemon.sh