Using the instructions underneath you will be able to import an Azure Automation runbook that will alert you using Sendgrid whenever certificates will expire.
The urge of creating this script was to find a way to inform us whenever the private certificate for Sitecore X-connect would expire. The script will, however, help you to monitor all your certificates within your Azure subscription.
Prerequisites: - Azure Automation account - Azure Automation module - AzureRM.websites - SMTP Client ( in this case Sendgrid )
In the steps underneath i assume you already have Azure Automation account configured.
Step 1 Install the runbook using the Azure Automation Runbooks gallery. Search for “Check SSL expiration and notify per mail”.
Import the runbook. Edit the runbook and publish it.
Step 2 Once the runbook has been import, you need to define a schedule. I would advise you to create a recurring schedule and report monthly.
Step 3: The parameters can be filled in like screenshot underneath, assuming you will use Sendgrid:
* Please note that the Sendgrid username can be found within the Azure Portal - Sendgrid Accounts
The source of this runbook can be downloaded here: https://gallery.technet.microsoft.com/Check-SSL-expiration-and-ce5305f2
[code language="powershell”] Param(
[Parameter(Mandatory = $false)] [string] $emailSmtpServer = “smtp.sendgrid.net”,
[Parameter(Mandatory = $false)] [string] $emailSmtpServerPort = 587,
[Parameter(Mandatory = $true)] [string] $sendGridUserName,
[Parameter(Mandatory = $true)] [string] $sendGridPassword,
[Parameter(Mandatory = $true)] [string] $emailFrom,
[Parameter(Mandatory = $true)] [string] $emailTo,
[Parameter(Mandatory = $false)] [string] $minimumCertAgeDays = 30
)
# This script has been created by Bram Stoop # Feel free to visit my website https://bramstoop.com/ and leave me comments/give me feedback on this runbook # You can also follow me on twitter https://twitter.com/bramstoopcom
# This runbook will check all certificates, within your subscription, on expiration date. # By default it uses sendgrid for mail notifications.
# Make sure you have the AzureRM.websites module installed withing Azure Automation # Keep in mind that the Sendgrid username has this format azure_somekindofnumber@azure.com - this can be found in the azure portal
$connectionName = “AzureRunAsConnection” try { # Get the connection “AzureRunAsConnection” $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName
Add-AzureRmAccount ` -ServicePrincipal ` -TenantId $servicePrincipalConnection.TenantId ` -ApplicationId $servicePrincipalConnection.ApplicationId ` -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint } catch { if (!$servicePrincipalConnection) { $ErrorMessage = “Connection $connectionName not found.” throw $ErrorMessage } else { Write-Error -Message $_.Exception throw $_.Exception } }
$currentSubscription = (Get-AzureRmContext).Subscription $resourceGroups = Get-AzureRmResourceGroup $securePassword=ConvertTo-SecureString $sendGridPassword -asplaintext -force $credential = New-Object System.Management.Automation.PsCredential($sendGridUserName,$securePassword) $emailSmtpUser = $credential.UserName $emailSmtpPass=$credential.GetNetworkCredential().Password
if ($resourceGroups) { foreach ($ResourceGroup in $resourceGroups) { $ResourceGroupName = “$($ResourceGroup.ResourceGroupName)” $allCertificates = Get-AzureRmWebAppCertificate -ResourceGroupName $ResourceGroupName
foreach ($certificate in $allCertificates) {
[datetime]$expiration = $($certificate.ExpirationDate) [int]$certExpiresIn = ($expiration - $(get-date)).Days
if ($certExpiresIn -gt $minimumCertAgeDays) { Write-Output “$($certificate.FriendlyName) expiry date is $($certificate.ExpirationDate)” -f Green Write-Output “Certificate for $($certificate.FriendlyName) expires in $certExpiresIn days [on $expiration]” -f Green } else {
Write-Output “WARNING: Certificate with friendly name: $($certificate.FriendlyName) expires in $certExpiresIn days [on $expiration] ` This certificate can be found in resourcegroup: $($ResourceGroup.ResourceGroupName) ` Existing in subscription with name: $($currentSubscription.Name)”
$subject = “WARNING: Certificate with friendly name: $($certificate.FriendlyName) expires in $certExpiresIn days” $body = “WARNING:Certificate with friendly name: $($certificate.FriendlyName) ` Expires in: $certExpiresIn days on $expiration ` This certificate can be found in resourcegroup: $($ResourceGroup.ResourceGroupName) ` Existing in subscription: Name: $($currentSubscription.Name) Subscription Id: $($currentSubscription.Id) Tenant Id: $($currentSubscription.TenantId)” #If you want to extend your message you can use the expression underneath #$body += “Your company name website mycompanyname.com”
$emailMessage = New-Object System.Net.Mail.MailMessage( $emailFrom , $emailTo, $subject, $body ) $emailMessage.IsBodyHTML=$true
$SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort ) $SMTPClient.EnableSsl = $True $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass ); $SMTPClient.Send( $emailMessage )
}
} } }
else { Write-Output “There are no resourcegroups within this subscription” } [/code]