From 754a8f18b8e612fe6f2434df86f14c906386d5ff Mon Sep 17 00:00:00 2001
From: "Hahn Axel (hahn)" <axel.hahn@iml.unibe.ch>
Date: Wed, 6 Oct 2021 10:31:00 +0200
Subject: [PATCH] add check_ssl_certs
---
check_ssl_certs | 172 ++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 172 insertions(+)
create mode 100644 check_ssl_certs
diff --git a/check_ssl_certs b/check_ssl_certs
new file mode 100644
index 0000000..b9a64ed
--- /dev/null
+++ b/check_ssl_certs
@@ -0,0 +1,172 @@
+#!/bin/bash
+# ======================================================================
+#
+# SSL check - warn if a ssl certificate expires.
+#
+# Check locally installed SSL client certificates and warn if the
+# expiration date comes closer.
+#
+# USAGE: check_ssl_certs [-w WARN_LIMIT] [-c CRITICAL_LIMIT] [-f "FILELIST"]
+# HELP: check_ssl_certs -h
+#
+# ----------------------------------------------------------------------
+# 2021-10-06 v0.1 <axel.hahn@iml.unibe.ch> initial version
+# ======================================================================
+
+. `dirname $0`/inc_pluginfunctions
+
+typeset -i iWarn=14
+typeset -i iCrit=5
+typeset -i iNow=$( date +%s )
+
+bHasCritical=false
+bHasWarning=false
+
+shortstatus=""
+fullstatus=""
+
+filelist="/etc/ssl/certs/*.cert.cer"
+
+# ----------------------------------------------------------------------
+# functions
+# ----------------------------------------------------------------------
+
+function showHelp(){
+cat <<EOF
+______________________________________________________________________
+
+CHECK_SSL_CERTS
+
+(c) Institute for Medical Education - Univerity of Bern
+Licence: GNU GPL 3
+______________________________________________________________________
+
+Check locally installed SSL client certificates and warn if the
+expiration date comes closer.
+
+SYNTAX:
+`basename $0` [-w WARN_LIMIT] [-c CRITICAL_LIMIT] [-f FILELIST]
+
+OPTIONS:
+
+ -f FILELIST file filter to find certificates using globbing (default: $filelist)
+ To use multiple sources seperate them with a space char.
+ Quote your parameter value if you use multiple sources or * char.
+ -w VALUE warning level in days before expiration (default: $iWarn)
+ -c VALUE critical level in days before expiration (default: $iCrit)
+
+ -h or --help show this help.
+
+PARAMETERS:
+
+ None.
+
+EXAMPLE:
+
+ `basename $0` -f "/etc/ssl/certs/*example.com.*.cer /etc/somewhere/else/*.cer"
+ Set 2 folders where to find the client certificates.
+ They are seperated by space and both use * for globbing
+
+ `basename $0` -w 30 -c 3
+ Overide the warning and critical level.
+
+EOF
+}
+
+# ----------------------------------------------------------------------
+# MAIN
+# ----------------------------------------------------------------------
+
+
+# ----- check param -h
+case "$1" in
+ "--help"|"-h")
+ showHelp
+ exit 0
+ ;;
+ *)
+esac
+
+
+# ----- check required tools
+
+ph.require openssl
+
+
+# --- override from command line params
+filelist=`ph.getValueWithParam $filelist f "$@"`
+iWarn=` ph.getValueWithParam $iWarn w "$@"`
+iCrit=` ph.getValueWithParam $iCrit c "$@"`
+
+
+# ----- check cert files
+
+typeset -i iCounter=0
+typeset -i iTotal=$( ls -1 $filelist 2>/dev/null | wc -l )
+if [ $iTotal -eq 0 ]; then
+ bHasWarning=true
+ shortstatus="No cert was found."
+ fullstatus="!!! Warning: no file matches the file filter. HINT: a $filelist."
+fi
+for mycert in $( ls -1 $filelist 2>/dev/null )
+do
+ iCounter=$iCounter+1
+ data=$(openssl x509 -noout -text -in $mycert 2>/dev/null )
+ mySubject=$( echo "$data" | grep "Subject:\ CN\ =\ " | cut -f 2- -d "=" | grep -v ",")
+ if [ -z "$mySubject" ]; then
+ bHasWarning=true
+ fullstatus="${fullstatus}
+ !!! WARNING: File $mycert is no client certificate. HINT: adjust your file filter in -f FILEFILTER"
+ else
+
+ dateExpire=$( echo "$data" | grep "Not\ After" | cut -f 2- -d ":" )
+
+ typeset -i iExpire=$( date +%s -d "$dateExpire" )
+ typeset -i iLeft=($iExpire-$iNow)/60/60/24
+
+ if [ $iLeft -lt $iWarn ]; then
+ if [ $iLeft -lt $iCrit ]; then
+ bHasCritical=true
+ if [ $iLeft -lt 0 ]; then
+ result="EXPIRED ALREADY"
+ else
+ result="Expires VERY SOON"
+ fi
+ else
+ bHasWarning=true
+ result="Expires soon"
+ fi
+ else
+ result="OK"
+ fi
+ shortstatus="${shortstatus}${result} ${mySubject} [${iLeft}d] |"
+ fullstatus="${fullstatus}
+----- $iCounter/ $iTotal: ${mySubject} - $iLeft days
+$( echo "$data" | grep -E "(DNS:|Issuer:|Not\ |Subject:)" | sed 's#^\ *##g')
+File: $mycert"
+
+ ph.perfadd "ssl-$mySubject" "${iLeft}" "" "" 0 ""
+ fi
+done
+
+
+# ----- set status based on worst result
+
+if [ $bHasCritical = true ]; then
+ ph.setStatus critical
+elif [ $bHasWarning = true ]; then
+ ph.setStatus warning
+fi
+
+
+# ------ outout
+
+ph.status "SSL certs | $shortstatus"
+echo "$fullstatus"
+echo
+echo "INFO: warning below $iWarn d before expiration; raise to critical $iCrit days before"
+echo
+
+ph.exit
+
+# ----------------------------------------------------------------------
--
GitLab