#!/bin/bash
# ======================================================================
#
# NAGIOS CLIENT CHECK :: check SSL certificate
# this pligin show a warning if certificate expires in less than
# ${iWarnDaysBefore} days
#
# REQUIREMENTS
# - openssl
# - single cert on a host ??
#
# ----------------------------------------------------------------------
#
# ah=axel.hahn@iml.unibe.ch
# ds=daniel.schueler@iml.unibe.ch
#
# 2017-03-03  v1.0  ah,ds
# 2020-03-05  v1.1  <axel.hahn@iml.unibe.ch> switch to ph.* helper functions
# ======================================================================


. `dirname $0`/inc_pluginfunctions

sDomain=
iPort=443


iWarnDaysBefore=60

typeset -i iErrors=0
typeset -i iWarnings=0

sStatus=

# ----------------------------------------------------------------------
# functions
# ----------------------------------------------------------------------

# show help with syntax
function showHelp(){
  echo
  echo ----- SSL Check v1.0
  echo
  echo "SYNTAX: `basename $0` [domain] [[port]]"
  echo "   domain - domain to verify the ssl vertificate from (required)"
  echo "   port   - port number to connect (default: 443)"
  echo
}



# ----------------------------------------------------------------------
# MAIN
# ----------------------------------------------------------------------

# --- check requirements

  ph.require openssl

  if [ $# -eq 0 ]; then
    showHelp
    ph.abort
  fi

# --- start

  sDomain=$1
  if [ ! -z $2 ]; then
    iPort=$2
  fi


# --- try to connect

  echo | openssl s_client -connect ${sDomain}:${iPort} >/dev/null 2>&1  
  if [ $? -ne 0 ]; then
    ph.setStatus "error"
    ph.status "unable to connect to ${sDomain} via port :${iPort} - maybe wrong host ... or port ... wrong chaining"
    # repeat the last command without redirecting output
    echo | openssl s_client -connect ${sDomain}:${iPort}
    ph.exit
  fi

  echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject | fgrep ${sDomain} >/dev/null
  if [ $? -ne 0 ]; then
    ph.setStatus "unknown"
    echo SORRY, openssl was unable to fetch the right certificate - this happens on multiple ssl webs - it finds
    echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -subject
    ph.exit
  fi

# --- unix timestamps valid from .. to

  dateFrom=`echo | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -startdate | cut -f 2 -d "="`
  dateTo=`echo   | openssl s_client -connect ${sDomain}:${iPort} 2>/dev/null | openssl x509 -noout -enddate   | cut -f 2 -d "="`

  tsFrom=`date -d "${dateFrom}" +%s`
  tsTo=`date -d "${dateTo}" +%s`

  tsNow=`date +%s`
  typeset -i iDaysLeft=($tsTo-$tsNow)/60/60/24


# --- check date

  if [ ${tsFrom} -gt ${tsNow} ]; then
    ph.setStatus "critical"
    ph.status "certificate ${sDomain}:${iPort} is not valid yet - ${dateFrom}"
  else
    if [ ${tsTo} -lt ${tsNow} ]; then
      ph.setStatus "critical"
      ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
    else
      # --- check close ending day
      if [ ${iDaysLeft} -lt ${iWarnDaysBefore} ]; then
        ph.setStatus "warning"
        ph.status "certificate ${sDomain}:${iPort} is out of date - ${dateTo} - ${iDaysLeft} days"
      else
        ph.setStatus "ok"
        ph.status "${sDomain}:${iPort} - valid to ${dateTo} (${iDaysLeft} days left)"
      fi
    fi
  fi

  ph.exit

# ----------------------------------------------------------------------