#!/bin/bash # Script: monitor-ssl-certificates.sh # Locatie: /opt/scripts/monitor-ssl-certificates.sh (pe pvemini) # Scop: Verifica certificatele SSL extern si alerteaza/forteaza reinstalare # Rulare: Cron zilnic sau la cerere set -e # Configurare DAYS_WARNING=14 DAYS_CRITICAL=7 LOG_FILE="/var/log/ssl-monitor.log" EMAIL_TO="root" # Proxmox trimite la adresa configurata # Domenii de verificat DOMAINS=( "roa.romfast.ro" "dokploy.romfast.ro" "gitea.romfast.ro" "roa2web.romfast.ro" ) # Site IDs pentru fiecare domeniu (in aceeasi ordine) SITE_IDS=(1 2 3 4) log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" | tee -a "$LOG_FILE" } check_certificate() { local domain=$1 local expiry_date expiry_epoch now_epoch days_left # Obtine data expirare expiry_date=$(echo | openssl s_client -servername "$domain" -connect "$domain:443" 2>/dev/null | \ openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2) if [[ -z "$expiry_date" ]]; then echo "-1" return fi # Calculeaza zilele ramase expiry_epoch=$(date -d "$expiry_date" +%s 2>/dev/null) now_epoch=$(date +%s) days_left=$(( (expiry_epoch - now_epoch) / 86400 )) echo "$days_left" } force_renew_certificate() { local site_id=$1 local domain=$2 log "Fortez reinstalare certificat pentru $domain (Site ID: $site_id)..." # Executa pe VM 201 prin Proxmox guest agent result=$(qm guest exec 201 -- powershell -Command \ "cd C:\\Tools\\win-acme; .\\wacs.exe --target iis --siteid $site_id --installation iis --force" 2>&1) if echo "$result" | grep -q '"exitcode" : 0'; then log "SUCCES: Certificat reinstalat pentru $domain" return 0 else log "EROARE: Reinstalare esuata pentru $domain" log "$result" return 1 fi } restart_iis() { log "Restart IIS..." qm guest exec 201 -- cmd /c "iisreset" >/dev/null 2>&1 log "IIS restartat" } send_alert() { local subject=$1 local body=$2 # Foloseste sistemul de notificari Proxmox if command -v pvesh &>/dev/null; then echo "$body" | mail -s "$subject" "$EMAIL_TO" 2>/dev/null || true fi log "ALERT: $subject" } # Main log "========== Verificare certificate SSL ==========" warnings=() criticals=() renewed=0 for i in "${!DOMAINS[@]}"; do domain="${DOMAINS[$i]}" site_id="${SITE_IDS[$i]}" days_left=$(check_certificate "$domain") if [[ "$days_left" == "-1" ]]; then log "EROARE: Nu pot verifica $domain" criticals+=("$domain: Nu pot obtine certificatul") continue fi log "$domain: $days_left zile ramase" if [[ $days_left -lt 0 ]]; then criticals+=("$domain: EXPIRAT!") # Forteaza reinstalare if force_renew_certificate "$site_id" "$domain"; then ((renewed++)) fi elif [[ $days_left -lt $DAYS_CRITICAL ]]; then criticals+=("$domain: expira in $days_left zile") # Forteaza reinstalare if force_renew_certificate "$site_id" "$domain"; then ((renewed++)) fi elif [[ $days_left -lt $DAYS_WARNING ]]; then warnings+=("$domain: expira in $days_left zile") # Forteaza reinstalare preventiv if force_renew_certificate "$site_id" "$domain"; then ((renewed++)) fi fi done # Restart IIS daca am reinoit if [[ $renewed -gt 0 ]]; then restart_iis fi # Trimite alerte if [[ ${#criticals[@]} -gt 0 ]]; then body="Certificate SSL CRITICE:\n\n" for msg in "${criticals[@]}"; do body+="- $msg\n" done body+="\nActiuni intreprinse: $renewed certificate reinstalate" send_alert "[CRITICAL] Certificate SSL expirate/aproape de expirare" "$body" fi if [[ ${#warnings[@]} -gt 0 && ${#criticals[@]} -eq 0 ]]; then body="Certificate SSL WARNING:\n\n" for msg in "${warnings[@]}"; do body+="- $msg\n" done body+="\nActiuni intreprinse: $renewed certificate reinstalate" send_alert "[WARNING] Certificate SSL aproape de expirare" "$body" fi log "========== Sumar: $renewed reinstalate, ${#warnings[@]} warnings, ${#criticals[@]} critice ==========" exit 0