acheck_ssl: add IML header in help; add warning and critical level

9a57aed7 · Hahn Axel (hahn) · 94904385 · 9a57aed7
Commit 9a57aed7 authored 2 months ago by Hahn Axel (hahn)
--- a/check_ssl
+++ b/check_ssl
@@ -18,17 +18,18 @@
 # 2020-03-05  v1.1  <axel.hahn@iml.unibe.ch>  switch to ph.* helper functions
 # 2023-02-13  v1.2  <axel.hahn@unibe.ch>      some shell fixes
 # 2023-08-23  v1.3  <axel.hahn@unibe.ch>      fix wrong exitcode to "critical"
+# 2025-02-12  v1.4  <axel.hahn@unibe.ch>      add IML header in help; add warning and critical level
 # ======================================================================
 . $(dirname $0)/inc_pluginfunctions
+self_APPNAME=$( basename $0 | tr [:lower:] [:upper:] )
+self_APPVERSION=1.4
 sDomain=
 iPort=443
-iWarnDaysBefore=60
 typeset -i iErrors=0
 typeset -i iWarnings=0
@@ -40,13 +41,36 @@ sStatus=
 # show help with syntax
 function showHelp(){
-  echo
+    _self=$( basename $0 )
-  echo ----- SSL Check v1.0
+cat <<EOH
-  echo
+$( ph.showImlHelpHeader )
-  echo "SYNTAX: $(basename $0) [domain] [[port]]"
-  echo "   domain - domain to verify the ssl vertificate from (required)"
+Check if ssl certificate of a given domain is still valid.
-  echo "   port   - port number to connect (default: 443)"
+You can check https or any other port of a ssl enabled service like LDAPS, 
-  echo
+IMPAS and others.
+You can customize the values for warning and critical level.
+SYNTAX: $_self [options] DOMAIN [PORT]
+OPTIONS
+    -w VALUE  warning level for expiration in days (default: 28)
+    -c VALUE  critical level for expiration in days (default: 7)
+PARAMETERS
+    DOMAIN    domain to verify the ssl vertificate from (required)
+    PORT      optional: port number to connect (default: 443)
+EXAMPLES
+    $_self www.iml.unibe.ch 443
+        check https port 443
+    $_self -w 30 -c 14 ldap.example.com 636
+        check ldaps port 636 and set custom warning and critical level
+EOH
 }
@@ -57,73 +81,81 @@ function showHelp(){
 # --- check requirements
-  ph.require openssl
+ph.require openssl
-  if [ $# -eq 0 ]; then
+if [ $# -eq 0 ]; then
    showHelp
-    ph.abort
+    exit 0
-  fi
+fi
 # --- start
-  sDomain=$1
+# set default / override from command line params
-  if [ ! -z $2 ]; then
+typeset -i iWarnLimit;     iWarnLimit=$(     ph.getValueWithParam 28 w "$@")
-    iPort=$2
+typeset -i iCriticalLimit; iCriticalLimit=$( ph.getValueWithParam 7  c "$@")
-  fi
+sParams="$*"
+sP1="$( rev <<< $sParams | cut -f 2 -d ' ' | rev )"
+sP2="$( rev <<< $sParams | cut -f 1 -d ' ' | rev )"
+if grep -q "^[0-9]*$" <<< $sP2; then
+    sDomain=$sP1
+    iPort=$sP2
+else
+    sDomain=$sP2
+fi
 # --- try to connect
-  echo | openssl s_client -connect ${sDomain}:${iPort} >/dev/null 2>&1  
+echo | openssl s_client -connect ${sDomain}:${iPort} >/dev/null 2>&1  
-  if [ $? -ne 0 ]; then
+if [ $? -ne 0 ]; then
    ph.setStatus "critical"
    ph.status "unable to connect to ${sDomain} via port :${iPort} - maybe wrong host ... or port ... wrong chaining"
    # repeat the last command without redirecting output
    echo | openssl s_client -connect ${sDomain}:${iPort}
    ph.exit
-  fi
+fi
-  echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject | grep -F ${sDomain} >/dev/null
+echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject | grep -F ${sDomain} >/dev/null
-  if [ $? -ne 0 ]; then
+if [ $? -ne 0 ]; then
    ph.setStatus "unknown"
    echo SORRY, openssl was unable to fetch the right certificate - this happens on multiple ssl webs - it finds
    echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject
    ph.exit
-  fi
+fi
 # --- unix timestamps valid from .. to
-  dateFrom=$(echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -startdate | cut -f 2 -d "=")
+dateFrom=$(echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -startdate | cut -f 2 -d "=")
-  dateTo=$(echo   | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -enddate   | cut -f 2 -d "=")
+dateTo=$(echo   | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -enddate   | cut -f 2 -d "=")
-  tsFrom=$(date -d "${dateFrom}" +%s)
-  tsTo=$(date -d "${dateTo}" +%s)
-  tsNow=$(date +%s)
+tsFrom=$(date -d "${dateFrom}" +%s)
-  typeset -i iDaysLeft=($tsTo-$tsNow)/60/60/24
+tsTo=$(date -d "${dateTo}" +%s)
+tsNow=$(date +%s)
+typeset -i iDaysLeft=($tsTo-$tsNow)/60/60/24
 # --- check date
-  if [ ${tsFrom} -gt ${tsNow} ]; then
+if [ ${tsFrom} -gt ${tsNow} ]; then
    ph.setStatus "critical"
    ph.status "certificate ${sDomain}:${iPort} is not valid yet - ${dateFrom}"
-  else
-    if [ ${tsTo} -lt ${tsNow} ]; then
-      ph.setStatus "critical"
-      ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
    else
-      # --- check close ending day
+        if [ ${tsTo} -lt ${tsNow} ]||[ ${iDaysLeft} -le $iCriticalLimit ]; then
-      if [ ${iDaysLeft} -lt ${iWarnDaysBefore} ]; then
+            ph.setStatus "critical"
-        ph.setStatus "warning"
+            ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
-        ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
+        else
-      else
+            # --- check close ending day
-        ph.setStatus "ok"
+            if [ ${iDaysLeft} -lt ${iWarnLimit} ]; then
-        ph.status "${sDomain}:${iPort} - valid to ${dateTo} (${iDaysLeft} days left)"
+                ph.setStatus "warning"
-      fi
+                ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
+            else
+                ph.setStatus "ok"
+                ph.status "${sDomain}:${iPort} - valid to ${dateTo} (${iDaysLeft} days left)"
+        fi
    fi
-  fi
+fi
-  ph.exit
+ph.exit
 # ----------------------------------------------------------------------