2
0
mirror of https://github.com/munin-monitoring/contrib.git synced 2018-11-08 00:59:34 +01:00

Merge pull request #847 from shtrom/multi-ssl

[ssl-certificate-expiry] Replace ssl_ with a single graph showing all expiries
This commit is contained in:
sumpfralle 2017-08-14 04:43:24 +02:00 committed by GitHub
commit 8f92eb1715
2 changed files with 125 additions and 2 deletions

View File

@ -0,0 +1,111 @@
#!/bin/sh
# -*- sh -*-
: << =cut
=head1 NAME
ssl-certificate-expiry - Plugin to monitor CERTificate expiration on multiple services and ports
=head1 CONFIGURATION
[ssl-certificate-expiry]
env.services www.service.tld blah.example.net_PORT
To set warning and critical levels do like this:
[ssl-certificate-expiry]
env.services ...
env.warning 30:
Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
ssl-certificate-expiry_HOST_PORT
For example:
ssl-certificate-expiry_www.example.net
ssl-certificate-expiry_www.example.org_443
ssl-certificate-expiry_192.0.2.42_636
ssl-certificate-expiry_2001:0DB8::badc:0fee_485
=head1 AUTHOR
Pactrick Domack (ssl_)
Olivier Mehani (ssl-certificate-expiry)
Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
Copyright (C) 2017 Olivier Mehani <shtrom+munin@ssji.net>
=head1 LICENSE
=cut
. "${MUNIN_LIBDIR}/plugins/plugin.sh"
if [ "${MUNIN_DEBUG}" = 1 ]; then
set -x
fi
HOSTPORT=${0##*ssl-certificate-expiry_}
if [ "${HOSTPORT}" != "${0}" ] \
&& [ ! -z "${HOSTPORT}" ]; then
services="${HOSTPORT}"
fi
case $1 in
config)
echo "graph_title SSL Certificates Expiration"
echo 'graph_args --base 1000'
echo 'graph_vlabel days left'
echo 'graph_category security'
echo "graph_info This graph shows the days left for the certificate"
for service in $services; do
fieldname=$(clean_fieldname "$service")
echo "${fieldname}.label $(echo "${service}" | sed 's/_/:/')"
print_thresholds "${fieldname}"
done
exit 0
;;
esac
get_expire()
{
SITE="$(echo "${1}" | sed 's/_.*//')"
PORT="$(echo "${1}" | sed 's/.*_//')"
VAR="$(clean_fieldname "$1")"
if [ "$PORT" = "$SITE" ]; then
PORT=443
fi
if echo "$SITE" | grep -q ':'; then
# Wrap IPv6 addresses in square brackets
SITE="[${SITE}]"
fi
CERT=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
if echo "${CERT}" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
echo "${CERT}" \
| openssl x509 -noout -enddate \
| awk -F= 'BEGIN {
split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " ");
for (i=1; i<=12; i++)
mdigit[month[i]] = i;
}
/notAfter/ {
split($0,a,"="); split(a[2],b," "); split(b[3],time,":");
datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3];
days=(mktime(datetime)-systime())/86400;
print "VAR.value " days;
}' \
| sed "s/VAR/${VAR}/g"
fi
}
for service in $services; do
get_expire "$service"
done

View File

@ -26,7 +26,7 @@ Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
=cut
. $MUNIN_LIBDIR/plugins/plugin.sh
. "$MUNIN_LIBDIR/plugins/plugin.sh"
ARGS=${0##*ssl_}
SITE=${ARGS/_*/}
@ -54,5 +54,17 @@ esac
cert=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
if [[ "${cert}" = *"-----BEGIN CERTIFICATE-----"* ]]; then
echo "${cert}" | openssl x509 -noout -enddate | awk -F= 'BEGIN { split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " "); for (i=1; i<=12; i++) mdigit[month[i]] = i; } /notAfter/ { split($0,a,"="); split(a[2],b," "); split(b[3],time,":"); datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3]; days=(mktime(datetime)-systime())/86400; print "expire.value " days; }'
echo "${cert}" \
| openssl x509 -noout -enddate \
| awk -F= 'BEGIN {
split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " ");
for (i=1; i<=12; i++)
mdigit[month[i]] = i;
}
/notAfter/ {
split($0,a,"="); split(a[2],b," "); split(b[3],time,":");
datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3];
days=(mktime(datetime)-systime())/86400;
print "expire.value " days;
}'
fi