2017-06-16 13:09:44 +02:00
|
|
|
#!/bin/sh
|
2017-06-12 12:57:27 +02:00
|
|
|
# -*- sh -*-
|
|
|
|
|
|
|
|
: << =cut
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
2017-07-23 05:19:40 +02:00
|
|
|
ssl-certificate-expiry - Plugin to monitor CERTificate expiration on multiple services and ports
|
2017-06-12 12:57:27 +02:00
|
|
|
|
|
|
|
=head1 CONFIGURATION
|
|
|
|
|
2017-07-23 05:19:40 +02:00
|
|
|
[ssl-certificate-expiry]
|
2017-06-21 13:32:48 +02:00
|
|
|
env.services www.service.tld blah.example.net_PORT
|
2017-06-12 12:57:27 +02:00
|
|
|
|
|
|
|
To set warning and critical levels do like this:
|
|
|
|
|
2017-07-23 05:19:40 +02:00
|
|
|
[ssl-certificate-expiry]
|
2017-06-12 12:57:27 +02:00
|
|
|
env.services ...
|
|
|
|
env.warning 30:
|
|
|
|
|
2017-06-20 13:14:24 +02:00
|
|
|
Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
|
|
|
|
|
2017-07-23 05:19:40 +02:00
|
|
|
ssl-certificate-expiry_HOST_PORT
|
2017-06-20 13:14:24 +02:00
|
|
|
|
|
|
|
For example:
|
|
|
|
|
2017-07-23 05:19:40 +02:00
|
|
|
ssl-certificate-expiry_www.example.net
|
|
|
|
ssl-certificate-expiry_www.example.org_443
|
|
|
|
ssl-certificate-expiry_192.0.2.42_636
|
|
|
|
ssl-certificate-expiry_2001:0DB8::badc:0fee_485
|
2017-06-20 13:14:24 +02:00
|
|
|
|
2017-06-12 12:57:27 +02:00
|
|
|
=head1 AUTHOR
|
|
|
|
|
|
|
|
Pactrick Domack (ssl_)
|
2017-07-23 05:19:40 +02:00
|
|
|
Olivier Mehani (ssl-certificate-expiry)
|
2017-06-12 12:57:27 +02:00
|
|
|
|
|
|
|
Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
|
|
|
|
Copyright (C) 2017 Olivier Mehani <shtrom+munin@ssji.net>
|
|
|
|
|
|
|
|
=head1 LICENSE
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
|
|
. "${MUNIN_LIBDIR}/plugins/plugin.sh"
|
|
|
|
|
|
|
|
if [ "${MUNIN_DEBUG}" = 1 ]; then
|
|
|
|
set -x
|
|
|
|
fi
|
|
|
|
|
2017-07-23 05:19:40 +02:00
|
|
|
HOSTPORT=${0##*ssl-certificate-expiry_}
|
2017-06-20 13:14:24 +02:00
|
|
|
|
|
|
|
if [ "${HOSTPORT}" != "${0}" ] \
|
|
|
|
&& [ ! -z "${HOSTPORT}" ]; then
|
|
|
|
services="${HOSTPORT}"
|
|
|
|
fi
|
|
|
|
|
2017-06-12 12:57:27 +02:00
|
|
|
case $1 in
|
|
|
|
config)
|
|
|
|
|
|
|
|
echo "graph_title SSL Certificates Expiration"
|
|
|
|
echo 'graph_args --base 1000'
|
|
|
|
echo 'graph_vlabel days left'
|
|
|
|
echo 'graph_category security'
|
|
|
|
echo "graph_info This graph shows the days left for the certificate"
|
|
|
|
for service in $services; do
|
|
|
|
fieldname=$(clean_fieldname "$service")
|
2017-06-20 13:14:24 +02:00
|
|
|
echo "${fieldname}.label $(echo "${service}" | sed 's/_/:/')"
|
2017-06-16 12:46:12 +02:00
|
|
|
print_thresholds "${fieldname}"
|
2017-06-12 12:57:27 +02:00
|
|
|
done
|
|
|
|
|
|
|
|
exit 0
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
2017-06-16 13:09:44 +02:00
|
|
|
get_expire()
|
2017-06-12 12:57:27 +02:00
|
|
|
{
|
2017-06-20 13:14:24 +02:00
|
|
|
SITE="$(echo "${1}" | sed 's/_.*//')"
|
|
|
|
PORT="$(echo "${1}" | sed 's/.*_//')"
|
|
|
|
|
2017-06-12 12:57:27 +02:00
|
|
|
VAR="$(clean_fieldname "$1")"
|
|
|
|
if [ "$PORT" = "$SITE" ]; then
|
|
|
|
PORT=443
|
|
|
|
fi
|
2017-06-20 13:14:24 +02:00
|
|
|
if echo "$SITE" | grep -q ':'; then
|
2017-06-21 13:32:48 +02:00
|
|
|
# Wrap IPv6 addresses in square brackets
|
2017-06-20 13:14:24 +02:00
|
|
|
SITE="[${SITE}]"
|
|
|
|
fi
|
2017-06-12 12:57:27 +02:00
|
|
|
|
|
|
|
CERT=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
|
|
|
|
|
2017-06-16 13:09:44 +02:00
|
|
|
if echo "${CERT}" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
|
2017-06-16 12:46:12 +02:00
|
|
|
echo "${CERT}" \
|
|
|
|
| openssl x509 -noout -enddate \
|
|
|
|
| awk -F= 'BEGIN {
|
|
|
|
split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " ");
|
|
|
|
for (i=1; i<=12; i++)
|
|
|
|
mdigit[month[i]] = i;
|
|
|
|
}
|
|
|
|
/notAfter/ {
|
|
|
|
split($0,a,"="); split(a[2],b," "); split(b[3],time,":");
|
|
|
|
datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3];
|
|
|
|
days=(mktime(datetime)-systime())/86400;
|
|
|
|
print "VAR.value " days;
|
|
|
|
}' \
|
|
|
|
| sed "s/VAR/${VAR}/g"
|
2017-06-12 12:57:27 +02:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
for service in $services; do
|
|
|
|
get_expire "$service"
|
|
|
|
done
|