From e2eef65c09efb1e1f7a0d452c3582e24cb76987e Mon Sep 17 00:00:00 2001 From: Simon Tennant Date: Sun, 11 Aug 2013 07:55:19 +0200 Subject: [PATCH 1/3] Added a plugin to check SSL certificate expiry times This plugin connects to remote hosts and checks the HTTPS certificate expiry time. Example: https://munin.buddycloud.com/ssl-day.html --- plugins/ssl_certificates/ssl_ | 53 +++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 plugins/ssl_certificates/ssl_ diff --git a/plugins/ssl_certificates/ssl_ b/plugins/ssl_certificates/ssl_ new file mode 100644 index 00000000..2b7d1407 --- /dev/null +++ b/plugins/ssl_certificates/ssl_ @@ -0,0 +1,53 @@ +#!/bin/bash +# -*- sh -*- + +: << =cut + +=head1 NAME + +ssl_ - Plugin to monitor certificate expiration + +=head1 CONFIGURATION + +This plugin does not normally require configuration. + +To set warning and critical levels do like this: + + [ssl_*] + env.warning 30: + +=head1 AUTHOR + +Pactrick Domack + +Copyright (C) 2013 Patrick Domack + +=head1 LICENSE + +=cut + +. $MUNIN_LIBDIR/plugins/plugin.sh + +SITE=${0##*ssl_} + +case $1 in + config) + + echo "graph_title $SITE SSL Certificate Expire" + echo 'graph_args --base 1000' + echo 'graph_vlabel days left' + echo 'graph_category ssl' + echo "graph_info This graph shows the days left for the certificate being served by $SITE" + echo 'expire.label days' + print_warning expire + print_critical expire + + exit 0 + ;; +esac + +cert=$(echo "" | openssl s_client -CApath /etc/ssl/certs -connect "${SITE}:443" 2>/dev/null); + +if [[ "${cert}" = *"-----BEGIN CERTIFICATE-----"* ]]; then + echo "${cert}" | openssl x509 -noout -enddate | awk -F= 'BEGIN { split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " "); for (i=1; i<=12; i++) mdigit[month[i]] = i; } /notAfter/ { split($0,a,"="); split(a[2],b," "); split(b[3],time,":"); datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3]; days=(mktime(datetime)-systime())/86400; print "expire.value " days; }' +fi From 33cf24ad795b54370d06abfc11b6a5e4cd7042cd Mon Sep 17 00:00:00 2001 From: Simon Tennant Date: Sun, 11 Aug 2013 08:00:41 +0200 Subject: [PATCH 2/3] more sensible subdirectory name (ssl_certificates -> ssl) --- plugins/{ssl_certificates => ssl}/ssl_ | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename plugins/{ssl_certificates => ssl}/ssl_ (100%) diff --git a/plugins/ssl_certificates/ssl_ b/plugins/ssl/ssl_ similarity index 100% rename from plugins/ssl_certificates/ssl_ rename to plugins/ssl/ssl_ From f3917e15956e741e8b47bf98f95297b56391a4f5 Mon Sep 17 00:00:00 2001 From: Simon Tennant Date: Thu, 3 Oct 2013 09:50:57 +0200 Subject: [PATCH 3/3] Support SNI in the certificate checking plugin was checking the first vhost rather than the correct vhost's ssl certificate validity. --- plugins/ssl/ssl_ | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/ssl/ssl_ b/plugins/ssl/ssl_ index 2b7d1407..7f02b99d 100644 --- a/plugins/ssl/ssl_ +++ b/plugins/ssl/ssl_ @@ -46,7 +46,7 @@ case $1 in ;; esac -cert=$(echo "" | openssl s_client -CApath /etc/ssl/certs -connect "${SITE}:443" 2>/dev/null); +cert=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:443" 2>/dev/null); if [[ "${cert}" = *"-----BEGIN CERTIFICATE-----"* ]]; then echo "${cert}" | openssl x509 -noout -enddate | awk -F= 'BEGIN { split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " "); for (i=1; i<=12; i++) mdigit[month[i]] = i; } /notAfter/ { split($0,a,"="); split(a[2],b," "); split(b[3],time,":"); datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3]; days=(mktime(datetime)-systime())/86400; print "expire.value " days; }'