Skip to content
Snippets Groups Projects
Select Git revision
  • 6adeaf0fb99ea4ec0b0c6b69883b6297d87e4fb7
  • master default protected
  • simple-task/7248-eol-check-add-node-22
  • 6877_check_iml_deployment
4 results

check_php-fpm-status

Blame
    • check_ssl_certs 5.27 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171
    172
    173
    174
    175
    176
    177
    178
    179
    180
    181 
    

    

    

    #!/bin/bash
# ======================================================================
#
# SSL check - warn if a ssl certificate expires.
#
# Check locally installed SSL client certificates and warn if the 
# expiration date comes closer. 
#
# USAGE: check_ssl_certs [-w WARN_LIMIT] [-c CRITICAL_LIMIT] [-f "FILELIST"]
# HELP: check_ssl_certs -h
#
# ----------------------------------------------------------------------
# 2021-10-06  v0.1  <axel.hahn@iml.unibe.ch>  initial version
# 2022-03-16  v0.2  <axel.hahn@iml.unibe.ch>  shell fixes; shorten perfdata label
# 2022-10-21  v1.3  <axel.hahn@unibe.ch>      remove grep: warning: stray \ before white space
# ======================================================================

. $(dirname $0)/inc_pluginfunctions

typeset -i iWarn=14
typeset -i iCrit=5
typeset -i iNow=$( date +%s )

bHasCritical=false
bHasWarning=false

shortstatus=""
fullstatus=""

filelist="/etc/ssl/certs/*.cert.cer"

# remove dommain in label in performance data
myDomain=".iml.unibe.ch"

# ----------------------------------------------------------------------
# functions
# ----------------------------------------------------------------------

function showHelp(){
cat <<EOF
______________________________________________________________________

CHECK_SSL_CERTS

(c) Institute for Medical Education - University of Bern
Licence: GNU GPL 3
______________________________________________________________________

Check locally installed SSL client certificates and warn if the 
expiration date comes closer. 

SYNTAX:
$(basename $0) [-w WARN_LIMIT] [-c CRITICAL_LIMIT] [-f "FILELIST"]

OPTIONS:

    -f FILELIST    file filter to find certificates using globbing 
                   (default: $filelist)
                   To use multiple sources seperate them with a space char.
                   Quote your parameter value if you use multiple sources or * char.
    -w VALUE       warning level in days before expiration (default: $iWarn)
    -c VALUE       critical level in days before expiration (default: $iCrit)

    -h or --help   show this help.

PARAMETERS:

    None.

EXAMPLE:

    $(basename $0) -f "/etc/ssl/certs/*example.com.*.cer /somewhere/else/*.cer"
        Set 2 folders where to find the client certificates.
        They are seperated by space and both use * for globbing

    $(basename $0) -w 30 -c 3 
        Overide the warning and critical level.

EOF
}

# ----------------------------------------------------------------------
# MAIN
# ----------------------------------------------------------------------


# ----- check param -h
case "$1" in
    "--help"|"-h")
        showHelp
        exit 0
        ;;
    *)
esac


# ----- check required tools

ph.require openssl


# --- override from command line params
filelist=$(ph.getValueWithParam "$filelist" f "$@")
iWarn=$(   ph.getValueWithParam $iWarn      w "$@")
iCrit=$(   ph.getValueWithParam $iCrit      c "$@")


# ----- check cert files

typeset -i iCounter=0
typeset -i iTotal=$( ls -1 $filelist 2>/dev/null | wc -l )
if [ $iTotal -eq 0 ]; then
        bHasWarning=true
        shortstatus="No cert was found."
        fullstatus="!!! Warning: no file matches the file filter. HINT: adjust your file filter in -f FILEFILTER"
fi
for mycert in $( ls -1 $filelist 2>/dev/null )
do
        iCounter=$iCounter+1
        data=$(openssl x509 -noout -text -in $mycert 2>/dev/null )
        mySubject=$( echo "$data" | grep "Subject: CN = " | grep -v "," | cut -f 2- -d "=" | cut -c 2- )
        
        mySubject2="${mySubject//${myDomain}}"
        if [ -z "$mySubject" ]; then
                bHasWarning=true
                fullstatus="${fullstatus}
                !!! WARNING: File $mycert is no client certificate. HINT: adjust your file filter in -f FILEFILTER"
        else

            dateExpire=$( echo "$data" | grep "Not After" | cut -f 2- -d ":" )

            typeset -i iExpire=$( date +%s -d "$dateExpire" )
            typeset -i iLeft=($iExpire-$iNow)/60/60/24

            if [ $iLeft -le $iWarn ]; then
                    if [ $iLeft -le $iCrit ]; then
                            bHasCritical=true
                            if [ $iLeft -lt 0 ]; then
                                    result="EXPIRED ALREADY"
                            else
                                    result="Expires VERY SOON"
                            fi
                    else
                            bHasWarning=true
                            result="Expires soon"
                    fi
            else
                    result="OK"
            fi
            shortstatus="${shortstatus}${result} ${mySubject} [${iLeft}d] ; "
            fullstatus="${fullstatus}
----- [$iCounter of $iTotal] ${mySubject} - expires in $iLeft days $mySubject2
$( echo "$data" | grep -E "(DNS:|Issuer:|Not |Subject:)" | sed 's#^ *##g')
File: $mycert
"

            ph.perfadd "ssl-$mySubject2"       "${iLeft}"       "" "" 0 ""
        fi
done


# ----- set status based on worst result

if [ $bHasCritical = true ]; then
        ph.setStatus critical
elif [ $bHasWarning = true ]; then
        ph.setStatus warning
fi


# ------ outout

ph.status "SSL certs :: $shortstatus"
echo "$fullstatus"
echo "INFO: warning starts $iWarn d before expiration, raising to critical $iCrit days before"
echo

ph.exit

# ----------------------------------------------------------------------