-
Hahn Axel (hahn) authoredHahn Axel (hahn) authored
check_ssl 3.60 KiB
#!/bin/bash
# ======================================================================
#
# NAGIOS CLIENT CHECK :: check SSL certificate
# this pligin show a warning if certificate expires in less than
# ${iWarnDaysBefore} days
#
# REQUIREMENTS
# - openssl
# - single cert on a host ??
#
# ----------------------------------------------------------------------
#
# ah=axel.hahn@iml.unibe.ch
# ds=daniel.schueler@iml.unibe.ch
#
# 2017-03-03 v1.0 ah,ds
# 2020-03-05 v1.1 <axel.hahn@iml.unibe.ch> switch to ph.* helper functions
# 2023-02-13 v1.2 <axel.hahn@unibe.ch> some shell fixes
# 2023-08-23 v1.3 <axel.hahn@unibe.ch> fix wrong exitcode to "critical"
# ======================================================================
. $(dirname $0)/inc_pluginfunctions
sDomain=
iPort=443
iWarnDaysBefore=60
typeset -i iErrors=0
typeset -i iWarnings=0
sStatus=
# ----------------------------------------------------------------------
# functions
# ----------------------------------------------------------------------
# show help with syntax
function showHelp(){
echo
echo ----- SSL Check v1.0
echo
echo "SYNTAX: $(basename $0) [domain] [[port]]"
echo " domain - domain to verify the ssl vertificate from (required)"
echo " port - port number to connect (default: 443)"
echo
}
# ----------------------------------------------------------------------
# MAIN
# ----------------------------------------------------------------------
# --- check requirements
ph.require openssl
if [ $# -eq 0 ]; then
showHelp
ph.abort
fi
# --- start
sDomain=$1
if [ ! -z $2 ]; then
iPort=$2
fi
# --- try to connect
echo | openssl s_client -connect ${sDomain}:${iPort} >/dev/null 2>&1
if [ $? -ne 0 ]; then
ph.setStatus "critical"
ph.status "unable to connect to ${sDomain} via port :${iPort} - maybe wrong host ... or port ... wrong chaining"
# repeat the last command without redirecting output
echo | openssl s_client -connect ${sDomain}:${iPort}
ph.exit
fi
echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject | grep -F ${sDomain} >/dev/null
if [ $? -ne 0 ]; then
ph.setStatus "unknown"
echo SORRY, openssl was unable to fetch the right certificate - this happens on multiple ssl webs - it finds
echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject
ph.exit
fi
# --- unix timestamps valid from .. to
dateFrom=$(echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -startdate | cut -f 2 -d "=")
dateTo=$(echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -enddate | cut -f 2 -d "=")
tsFrom=$(date -d "${dateFrom}" +%s)
tsTo=$(date -d "${dateTo}" +%s)
tsNow=$(date +%s)
typeset -i iDaysLeft=($tsTo-$tsNow)/60/60/24
# --- check date
if [ ${tsFrom} -gt ${tsNow} ]; then
ph.setStatus "critical"
ph.status "certificate ${sDomain}:${iPort} is not valid yet - ${dateFrom}"
else
if [ ${tsTo} -lt ${tsNow} ]; then
ph.setStatus "critical"
ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
else
# --- check close ending day
if [ ${iDaysLeft} -lt ${iWarnDaysBefore} ]; then
ph.setStatus "warning"
ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
else
ph.setStatus "ok"
ph.status "${sDomain}:${iPort} - valid to ${dateTo} (${iDaysLeft} days left)"
fi
fi
fi
ph.exit
# ----------------------------------------------------------------------