Created
February 28, 2024 11:40
-
-
Save fskale/c803a4b0600c739bbd153ead18982a54 to your computer and use it in GitHub Desktop.
Check-MK local Plugin for checking PEM encoded files for a given extension (defaults to .crt)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
OK=0 | |
WARN=1 | |
CRIT=2 | |
UNKN=3 | |
W_DAYS=15 | |
C_DAYS=10 | |
D_PATH="/etc/pki/tls/certs" | |
EXT="crt" | |
CFG="/etc/check_mk/check_ssl_cert_file.cfg" | |
NAME="SSL_Cert_File" | |
FIND=$(which find) | |
FILE=$(which file) | |
XARGS=$(which xargs) | |
BASENAME=$(which basename) | |
OPENSSL=$(which openssl) | |
HEAD=$(which head) | |
DATE=$(which date) | |
[ -f $CFG ] && . $CFG | |
if [[ ! $1 && -d $D_PATH ]]; then | |
C_PATH=$D_PATH | |
elif [[ $1 && -d $1 ]]; then | |
C_PATH=$1 | |
else | |
echo "UKNOWN: $0: $1: No valid path supplied !" | |
exit $UNKN | |
fi | |
if [[ $W_DAYS -le $C_DAYS ]]; then | |
echo "UKNOWN: $0: Warning value: $W_DAYS cannot be greater/equal to $C_DAYS !" | |
exit $UNKN | |
fi | |
declare -a ARRAY | |
CERTS=$($FIND $C_PATH -type f -iname "*.$EXT" 2>/dev/null|$XARGS) | |
read -r -a ARRAY <<< $CERTS | |
OUTPUT= | |
EVAL=0 | |
ESTR="OK" | |
for F in "${ARRAY[@]}"; do | |
#check PEM | |
CF=$($FILE -b $F) | |
if [[ $CF =~ 'PEM certificate' ]]; then | |
base=$($BASENAME $F) | |
V=$($OPENSSL x509 -in $F -dates -dateopt iso_8601|$HEAD -2|$XARGS) | |
[[ $V =~ ^notBefore=([0-9]{4}-[0-9]{2}-[0-9]{2}[[:space:]][0-9]{2}:[0-9]{2}:[0-9]{2}Z)[[:space:]]notAfter=([0-9]{4}-[0-9]{2}-[0-9]{2}[[:space:]][0-9]{2}:[0-9]{2}:[0-9]{2}Z)$ ]] | |
BEFORE=${BASH_REMATCH[1]} | |
AFTER=${BASH_REMATCH[2]} | |
if [[ $BEFORE && $AFTER ]]; then | |
B_SEC=$($DATE -d "$BEFORE" +%s) | |
A_SEC=$($DATE -d "$AFTER" +%s) | |
C_SEC=$($DATE +%s) | |
V_DAYS=$(( ( ( $A_SEC - $B_SEC) / 86400 ) - ( ( $C_SEC - $B_SEC ) / 86400 ) )) | |
if [[ $V_DAYS -lt 0 ]]; then | |
#make a negative a positive number ;-) | |
V_DAYS=$(( $V_DAYS * -1 )) | |
OUTPUT="$OUTPUT | $base: CRITICAL invalid since $V_DAYS days" | |
[ $EVAL -le $CRIT ] && EVAL=$CRIT; ESTR="CRITICAL" | |
elif [[ $V_DAYS -le $W_DAYS ]] && [[ $V_DAYS -gt $C_DAYS ]]; then | |
OUTPUT="$OUTPUT | $base: WARNING valid for $V_DAYS days" | |
[ $EVAL -le $WARN ] && EVAL=$WARN; ESTR="WARNING" | |
elif [[ $V_DAYS -le $C_DAYS ]] && [[ $V_DAYS -lt $W_DAYS ]]; then | |
OUTPUT="$OUTPUT | $base: CRITICAL valid for $V_DAYS days" | |
[ $EVAL -le $CRIT ] && EVAL=$CRIT; ESTR="CRITICAL" | |
else | |
OUTPUT="$OUTPUT | $base: OK valid for $V_DAYS days" | |
fi | |
fi | |
fi | |
done | |
if [[ $OUTPUT ]]; then | |
echo "$EVAL $NAME - $ESTR $OUTPUT" | |
exit $EVAL | |
else | |
echo "$UNKN $NAME - UNKNOWN No certificates verified !" | |
exit $UNKN | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Config file: (/etc/check_mk/check_ssl_cert_file.cfg)