#!/bin/sh
#
# Issue warning e-mails if SSL certificates expire, using
# certwatch(8).  Set NOCERTWATCH=yes in /etc/sysconfig/httpd
# to disable.
# 

[ -r /etc/sysconfig/httpd ] && . /etc/sysconfig/httpd

# Use configured httpd binary
HTTPD="/usr/sbin/httpd"
CONF="/etc/httpd/conf"
EMAIL="`egrep '^ServerAdmin' $CONF/httpd.conf | awk '{print $2}'`"

# Sanity checks
test -z "${NOCERTWATCH}" || exit 0
test -x $HTTPD || exit 0
test -r $CONF/httpd.conf || exit 0
test -x /usr/sbin/certwatch || exit 0
test -x /usr/sbin/sendmail || exit 0

DEFINE=`/etc/rc.d/init.d/httpd show_defines`
certs=`$HTTPD -t -f $CONF/httpd.conf $DEFINE -DDUMP_CERTS  2>/dev/null`
RETVAL=$?
test $RETVAL -eq 0 || exit 0

for c in $certs; do
    # Check whether a warning message is needed, then issue one if so.
    /usr/sbin/certwatch -q "$c" && 
    /usr/sbin/certwatch "$c" "$EMAIL" | /usr/sbin/sendmail -oem -oi -t 2>/dev/null
done

# because certwatch does exit 1 on a valid cert, force exit 0 here so cron
# doesn't think there are errors
exit 0
