root@ns5:/usr/local/sbin # diff check_crt.pl check_crt.pl.20201026 26,27c22 < #$server_ssl = `/usr/bin/openssl x509 -enddate -in $ARGV[0] |/usr/bin/grep notAfter`; < $server_ssl = `/usr/local/bin/openssl x509 -enddate -in $ARGV[0] |/usr/bin/grep notAfter`; --- > $server_ssl = `/usr/bin/openssl x509 -enddate -in $ARGV[0] |/usr/bin/grep notAfter`; 81c76 < $subject_jis = encode("MIME-Header-ISO_2022_JP",$subject); --- > 85c80 < Subject: $subject_jis --- > Subject: $subject 106d100 < $subject_jis = encode("MIME-Header-ISO_2022_JP",$subject); 110,111c104 < Subject: $subject_jis < --- > Subject: $subject 127,131c120 < #$header_jis = encode("iso-2022-jp",$header); < # < # see https://tutorial.perlzemi.com/blog/20170424149304.html < # < #$header_jis = encode("MIME-Header-ISO_2022_JP",$header); --- > $header_jis = encode("iso-2022-jp",$header); 139,140c128 < #$smtp->datasend($header_jis); < $smtp->datasend($header); --- > $smtp->datasend($header_jis);のような変更を入れた。
タグ「証明書」が付けられているもの
iOS13 対応の証明書で使った openssl.cnf
iOS13に上がったことで、「サーバーの識別情報を検証できません」のメッセージで悩んでいる方が多いようで。
サーバ証明書作成に使った openssl.cnfの必要な抜粋を載せてみる。
HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /etc/ssl/foobaa.CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 820 # 2019/09/25 for iOS13 securiy policy default_crl_days= 30 # how long before next CRL default_md = sha256 preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tokyo localityName = Locality Name (eg, city) localityName_default = Shinagawa 0.organizationName = Organization Name (eg, company) 0.organizationName_default = SamaToComapany organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName= @alt_names extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth,codeSigning,emailProtection [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName =@alt_names extendedKeyUsage = serverAuth,clientAuth,codeSigning,emailProtection [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] dir = /etc/ssl/foobaa.CA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = sha256 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) [ ca_cert ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always nsCertType = sslCA, emailCA keyUsage = cRLSign, keyCertSign [alt_names] DNS.1 = foobaa.com DNS.2 = *.foobaa.com
iOS13 対応の証明書で使った openssl.cnf
iOS13に上がったことで、「サーバーの識別情報を検証できません」のメッセージで悩んでいる方が多いようで。
サーバ証明書作成に使った openssl.cnfの必要な抜粋を載せてみる。
HOME = . RANDFILE = $ENV::HOME/.rnd oid_section = new_oids [ new_oids ] tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 [ ca ] default_ca = CA_default # The default ca section [ CA_default ] dir = /etc/ssl/foobaa.CA # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file x509_extensions = usr_cert # The extentions to add to the cert name_opt = ca_default # Subject Name options cert_opt = ca_default # Certificate field options default_days = 820 # 2019/09/25 for iOS13 securiy policy default_crl_days= 30 # how long before next CRL default_md = sha256 preserve = no # keep passed DN ordering policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = utf8only req_extensions = v3_req [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = JP countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Tokyo localityName = Locality Name (eg, city) localityName_default = Shinagawa 0.organizationName = Organization Name (eg, company) 0.organizationName_default = SamaToComapany organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (e.g. server FQDN or YOUR name) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer:always subjectAltName= @alt_names extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth,codeSigning,emailProtection [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName =@alt_names extendedKeyUsage = serverAuth,clientAuth,codeSigning,emailProtection [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo [ tsa ] default_tsa = tsa_config1 # the default TSA section [ tsa_config1 ] dir = /etc/ssl/foobaa.CA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply # (optional) signer_key = $dir/private/tsakey.pem # The TSA private key (optional) default_policy = tsa_policy1 # Policy if request did not specify it # (optional) other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) digests = sha256 # Acceptable message digests (mandatory) accuracy = secs:1, millisecs:500, microsecs:100 # (optional) clock_precision_digits = 0 # number of digits after dot. (optional) ordering = yes # Is ordering defined for timestamps? # (optional, default: no) tsa_name = yes # Must the TSA name be included in the reply? # (optional, default: no) ess_cert_id_chain = no # Must the ESS cert id chain be included? # (optional, default: no) [ ca_cert ] basicConstraints=CA:TRUE subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always nsCertType = sslCA, emailCA keyUsage = cRLSign, keyCertSign [alt_names] DNS.1 = foobaa.com DNS.2 = *.foobaa.com
iOS13での(imap)サーバー証明書の作り直し
- TLS サーバ証明書は、証明書の SAN (Subject Alternative Name) 拡張領域にサーバの DNS 名を記述する必要がある。証明書の CommonName の DNS 名は今後は信頼されなくなります。
- TLS サーバ証明書には ExtendedKeyUsage (EKU) 拡張領域を必ず含め、ここに id-kp-serverAuth OID を指定する必要がある。
- TLS サーバ証明書の有効期間は 825 日以下である (証明書の NotBefore フィールドと NotAfter フィールドで明記)。
- default_days を 820(日)に
- [req] セクションに"req_extensions = v3_req" を追加。
- [ usr_cert ] セクションに "authorityKeyIdentifier=keyid,issuer:always","subjectAltName= @alt_names","extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth,codeSigning,codeSigning,emailProtection" を追加。
- [ v3_req ]セクションに、"subjectAltName =@alt_names","extendedKeyUsage = serverAuth,clientAuth,codeSigning,emailProtection" を追加。
- [alt_names]セクションを新たに新設、ここに 'DNS.1= foo.baa.com","DNS.2 = *.foo.baa.com" などと記述。
iOS13での(imap)サーバー証明書の作り直し
- TLS サーバ証明書は、証明書の SAN (Subject Alternative Name) 拡張領域にサーバの DNS 名を記述する必要がある。証明書の CommonName の DNS 名は今後は信頼されなくなります。
- TLS サーバ証明書には ExtendedKeyUsage (EKU) 拡張領域を必ず含め、ここに id-kp-serverAuth OID を指定する必要がある。
- TLS サーバ証明書の有効期間は 825 日以下である (証明書の NotBefore フィールドと NotAfter フィールドで明記)。
- default_days を 820(日)に
- [req] セクションに"req_extensions = v3_req" を追加。
- [ usr_cert ] セクションに "authorityKeyIdentifier=keyid,issuer:always","subjectAltName= @alt_names","extendedKeyUsage = critical,timeStamping,serverAuth,clientAuth,codeSigning,codeSigning,emailProtection" を追加。
- [ v3_req ]セクションに、"subjectAltName =@alt_names","extendedKeyUsage = serverAuth,clientAuth,codeSigning,emailProtection" を追加。
- [alt_names]セクションを新たに新設、ここに 'DNS.1= foo.baa.com","DNS.2 = *.foo.baa.com" などと記述。
ローカルの証明書の有効期限を通知
CentOSだと、yum でcrypt-util をinstall すると certwatch が cronで起動され、自ホストのwebサーバーのSSL証明書の有効期限を通知してくれる。
FreeBSDで似たようなのを探したがちょっと見当たらないので、SSL証明書の有効期限をチェックするをパクらせてもらって、自サーバーのローカルにある証明書(smtps,imaps,他)のチェックを行い、メールを送信するスクリプトを作成。
メールの送信で、文字化けがあったので、いまさらですが jis7に変換して送っています。
サーバ証明書でもクライアント証明書でもどちらでもOK。私はいつも crtとpemをくっつけて1つのpemファイルを証明書として使っていますが。。。'openssl x509 -enddate' で 'notAfter'の文字列が出てくるものならどれでもOKと思います。
これで思わぬ証明書の期限切れが防げるかな。(クライアント証明書で良くやらかしてる)
#!/usr/bin/perl
#
# check_crt.pl
#
# ref. http://www.jitaku-svr.info/index.php?SSL%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E6%9C%89%E5%8A%B9%E6%9C%9F%E9%99%90%E3%82%92%E3%83%81%E3%82%A7%E3%83%83%E3%82%AF%E3%81%99%E3%82%8B
#
use utf8;
use Encode;
use MIME::Base64;
use Date::Simple;
use DateTime::Format::Strptime;
use Time::Piece;
use Net::SMTP;
$server_ssl = `/usr/bin/openssl x509 -enddate -in $ARGV[0] |/bin/grep notAfter`;
$server_ssl =~ s/notAfter\=//;
$server_ssl =~ s/GMT//;
$date_pers = Time::Piece->strptime($server_ssl, '%b %d %H:%M:%S %Y ');
$ssl_limit = Date::Simple->new($date_pers->ymd);
$SSL_year = $date_pers->strftime("%Y");
$SSL_mon = $date_pers->strftime("%m");
$SSL_day = $date_pers->strftime("%d");
$today = Date::Simple->new();
$diff = $ssl_limit - $today;
$FROM = 'ssl_report@foo.baa;
$MAILTO = 'root@foo.baa';
$HOST = '127.0.0.1';
##証明書期限「60日前」、「30日前」、「10日前」、「7日前から」、が条件
if ( $diff == "60" or $diff == "30" or $diff == "10" or $diff <= "7" ) {
##証明書期限当日のみ
if ( $diff == 0 ) {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【最終日】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
ファイル名:【$ARGV[0]】
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書は本日最終日です。
証明書の更新を行ってください。
または、至急担当者へ連絡してください。
_HERE_
##証明書の期限が切れている場合のみ
} elsif ( $diff < 0 ) {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【期限切れ】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書切れています。
至急、担当者に確認してください。
_HERE_
##それ以外の条件は以下の連絡方法
} else {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【$diff日前】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
ファイル名:【$ARGV[0]】
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書は$diff日前になりました。
_HERE_
}
$header_jis = encode("iso-2022-jp",$header);
$message_jis = encode("7bit-jis",$message);
$smtp = Net::SMTP->new("$HOST");
$smtp->mail($from);
$smtp->to($mailto);
$smtp->bcc(@mail_bcc);
$smtp->data();
$smtp->datasend($header_jis);
$smtp->datasend($message_jis);
$smtp->dataend();
$smtp->quit;
}
ローカルの証明書の有効期限を通知
CentOSだと、yum でcrypt-util をinstall すると certwatch が cronで起動され、自ホストのwebサーバーのSSL証明書の有効期限を通知してくれる。
FreeBSDで似たようなのを探したがちょっと見当たらないので、SSL証明書の有効期限をチェックするをパクらせてもらって、自サーバーのローカルにある証明書(smtps,imaps,他)のチェックを行い、メールを送信するスクリプトを作成。
メールの送信で、文字化けがあったので、いまさらですが jis7に変換して送っています。
サーバ証明書でもクライアント証明書でもどちらでもOK。私はいつも crtとpemをくっつけて1つのpemファイルを証明書として使っていますが。。。'openssl x509 -enddate' で 'notAfter'の文字列が出てくるものならどれでもOKと思います。
これで思わぬ証明書の期限切れが防げるかな。(クライアント証明書で良くやらかしてる)
#!/usr/bin/perl
#
# check_crt.pl
#
# ref. http://www.jitaku-svr.info/index.php?SSL%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E6%9C%89%E5%8A%B9%E6%9C%9F%E9%99%90%E3%82%92%E3%83%81%E3%82%A7%E3%83%83%E3%82%AF%E3%81%99%E3%82%8B
#
use utf8;
use Encode;
use MIME::Base64;
use Date::Simple;
use DateTime::Format::Strptime;
use Time::Piece;
use Net::SMTP;
$server_ssl = `/usr/bin/openssl x509 -enddate -in $ARGV[0] |/bin/grep notAfter`;
$server_ssl =~ s/notAfter\=//;
$server_ssl =~ s/GMT//;
$date_pers = Time::Piece->strptime($server_ssl, '%b %d %H:%M:%S %Y ');
$ssl_limit = Date::Simple->new($date_pers->ymd);
$SSL_year = $date_pers->strftime("%Y");
$SSL_mon = $date_pers->strftime("%m");
$SSL_day = $date_pers->strftime("%d");
$today = Date::Simple->new();
$diff = $ssl_limit - $today;
$FROM = 'ssl_report@foo.baa;
$MAILTO = 'root@foo.baa';
$HOST = '127.0.0.1';
##証明書期限「60日前」、「30日前」、「10日前」、「7日前から」、が条件
if ( $diff == "60" or $diff == "30" or $diff == "10" or $diff <= "7" ) {
##証明書期限当日のみ
if ( $diff == 0 ) {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【最終日】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
ファイル名:【$ARGV[0]】
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書は本日最終日です。
証明書の更新を行ってください。
または、至急担当者へ連絡してください。
_HERE_
##証明書の期限が切れている場合のみ
} elsif ( $diff < 0 ) {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【期限切れ】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書切れています。
至急、担当者に確認してください。
_HERE_
##それ以外の条件は以下の連絡方法
} else {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【$diff日前】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
ファイル名:【$ARGV[0]】
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書は$diff日前になりました。
_HERE_
}
$header_jis = encode("iso-2022-jp",$header);
$message_jis = encode("7bit-jis",$message);
$smtp = Net::SMTP->new("$HOST");
$smtp->mail($from);
$smtp->to($mailto);
$smtp->bcc(@mail_bcc);
$smtp->data();
$smtp->datasend($header_jis);
$smtp->datasend($message_jis);
$smtp->dataend();
$smtp->quit;
}
ローカルの証明書の有効期限を通知
#!/usr/bin/perl
#
# check_crt.pl
#
# ref. http://www.jitaku-svr.info/index.php?SSL%E8%A8%BC%E6%98%8E%E6%9B%B8%E3%81%AE%E6%9C%89%E5%8A%B9%E6%9C%9F%E9%99%90%E3%82%92%E3%83%81%E3%82%A7%E3%83%83%E3%82%AF%E3%81%99%E3%82%8B
#
use utf8;
use Encode;
use MIME::Base64;
use Date::Simple;
use DateTime::Format::Strptime;
use Time::Piece;
use Net::SMTP;
$server_ssl = `/usr/bin/openssl x509 -enddate -in $ARGV[0] |/bin/grep notAfter`;
$server_ssl =~ s/notAfter\=//;
$server_ssl =~ s/GMT//;
$date_pers = Time::Piece->strptime($server_ssl, '%b %d %H:%M:%S %Y ');
$ssl_limit = Date::Simple->new($date_pers->ymd);
$SSL_year = $date_pers->strftime("%Y");
$SSL_mon = $date_pers->strftime("%m");
$SSL_day = $date_pers->strftime("%d");
$today = Date::Simple->new();
$diff = $ssl_limit - $today;
$FROM = 'ssl_report@foo.baa;
$MAILTO = 'root@foo.baa';
$HOST = '127.0.0.1';
##証明書期限「60日前」、「30日前」、「10日前」、「7日前から」、が条件
if ( $diff == "60" or $diff == "30" or $diff == "10" or $diff <= "7" ) {
##証明書期限当日のみ
if ( $diff == 0 ) {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【最終日】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
ファイル名:【$ARGV[0]】
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書は本日最終日です。
証明書の更新を行ってください。
または、至急担当者へ連絡してください。
_HERE_
##証明書の期限が切れている場合のみ
} elsif ( $diff < 0 ) {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【期限切れ】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書切れています。
至急、担当者に確認してください。
_HERE_
##それ以外の条件は以下の連絡方法
} else {
$from = "$FROM";
$mailto = "$MAILTO";
$subject ="【$ARGV[0]】【$diff日前】SSL証明書期限レポート";
$header = << "MAILHEADER";
From: $from
To: $mailto
Subject: $subject
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
MAILHEADER
$message = << "_HERE_";
ファイル名:【$ARGV[0]】
有効期限:$SSL_year年$SSL_mon月$SSL_day日
$ARGV[0]の証明書は$diff日前になりました。
_HERE_
}
$header_jis = encode("iso-2022-jp",$header);
$message_jis = encode("7bit-jis",$message);
$smtp = Net::SMTP->new("$HOST");
$smtp->mail($from);
$smtp->to($mailto);
$smtp->bcc(@mail_bcc);
$smtp->data();
$smtp->datasend($header_jis);
$smtp->datasend($message_jis);
$smtp->dataend();
$smtp->quit;
}