#!/bin/sh

# Check zrepl SSL certificates for impending expiration each week
#
# Add the following lines to /etc/periodic.conf:
#
# weekly_zrepl_enable (bool):	Set to "NO" by default
# weekly_zrepl_warntime (int): Set to one month's worth of seconds by default

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
    . /etc/defaults/periodic.conf
    source_periodic_confs
fi

# 30 days in seconds
: ${weekly_zrepl_warntime="2592000"}

rc=0
case "$weekly_zrepl_enable" in
    [Yy][Ee][Ss])
	echo
	echo "Check Zrepl certificates for upcoming expiration:"

	for cert in `/usr/bin/find %%ETCDIR%% -maxdepth 1 -name *.crt`; do
		/usr/bin/openssl x509 --in "${cert}" \
			-checkend "${weekly_zrepl_warntime}"

		if [ $? -gt 0 ]; then
			echo "${cert} will expire soon"
			/usr/bin/openssl x509 --in "${cert}" -noout -enddate
			rc=3
		fi
	done
	;;
    *)  rc=0;;
esac

exit $rc