diff --git a/check_ssl_cert_file b/check_ssl_cert_file new file mode 100755 index 0000000..896b825 --- /dev/null +++ b/check_ssl_cert_file @@ -0,0 +1,135 @@ +#!/bin/bash +# +# Icinga/Nagios plugin to check X509 SSL certificate expiration date +# using OpenSSL. +# +# Usage: check_ssl_cert_file [options] +# +# Copyright (c) 2017 Benjamin Renard +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License version 3 +# as published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# + +DEBUG=0 +FILE="" +WARN_LIMIT_DAYS=5 +CRIT_LIMIT_DAYS=3 + +function usage() { + echo "Usage : $0 [cert file path] + -f [file] Specify certificate file path + -w [integer] Specify warning days limit + -c [integer] Specify critial days limit + -d Enable debug mode + -h Show this message" +} + +function check_int() { + echo "$1"|grep -c '^[0-9]\+$' +} + +while getopts "f:w:c:dh-:" OPTION +do + case "$OPTION" in + w) + WARN_LIMIT_DAYS="${OPTARG}" + [ $( check_int "$WARN_LIMIT_DAYS" ) -ne 1 ] && echo "UNKNOWN : Invalid -w parameter" && exit 3 + ;; + c) + CRIT_LIMIT_DAYS="${OPTARG}" + [ $( check_int "$CRIT_LIMIT_DAYS" ) -ne 1 ] && echo "UNKNOWN : Invalid -c parameter" && exit 3 + ;; + f) + FILE="${OPTARG}" + [ ! -e "$FILE" ] && echo "UNKNOWN : Invalid cert file path" && exit 3 + ;; + d) + DEBUG=1 + ;; + h) + usage + exit 0 + ;; + *) + echo "Invalid parameter -$OPTION" + echo + usage + exit 1 + ;; + esac +done + +[ -z "$FILE" ] && usage && exit 3 + +let WARN_LIMIT=24*3600*WARN_LIMIT_DAYS +let CRIT_LIMIT=24*3600*CRIT_LIMIT_DAYS + + +OSSL_OUT=$( openssl x509 -text -noout -in "$FILE" 2> /dev/null ) + +if [ $? -ne 0 ] +then + echo "UNKNOWN : Fail to read certificate file with openssl" + exit 3 +fi + +[ $DEBUG -eq 1 ] && echo -e "OpenSSL output : $OSSL_OUT" + +NOT_AFTER=$( echo -e "$OSSL_OUT"| grep 'Not After : '|sed 's/^.*Not After : //' ) +if [ -z "$NOT_AFTER" ] +then + echo "UNKNOWN : Fail to detect expiration date in OpenSSL output" + exit 3 +fi + +[ $DEBUG -eq 1 ] && echo -e "Expiration date : $NOT_AFTER" + +NOT_AFTER_TIME=$( date +%s -d "$NOT_AFTER" ) +if [ $? -ne 0 ] +then + echo "UNKNOWN : Fail to convert expiration date to timestamp" + echo "Expiration date : $NOT_AFTER" + exit 3 +fi + +[ $DEBUG -eq 1 ] && echo -e "Expiration timestamp : $NOT_AFTER_TIME" + +CUR_TIME=$( date +%s ) + +[ $DEBUG -eq 1 ] && echo -e "Current timestamp : $CUR_TIME" + +if [ $CUR_TIME -ge $NOT_AFTER_TIME ] +then + echo "CRITICAL : Certificate file expiry since $NOT_AFTER" + exit 2 +fi + +let DIFF=NOT_AFTER_TIME-CUR_TIME + +[ $DEBUG -eq 1 ] && echo -e "Diff time in seconds : $DIFF\nCritical/Warning limits : $CRIT_LIMIT / $WARN_LIMIT" + +if [ $DIFF -le $CRIT_LIMIT ] +then + echo "CRITICAL : Certificate file expiry in less than $CRIT_LIMIT_DAYS day(s)" + echo "Expiration date : $NOT_AFTER" + exit 2 +elif [ $DIFF -le $WARN_LIMIT ] +then + echo "WARNING : Certificate file expiry in less than $WARN_LIMIT_DAYS day(s)" + echo "Expiration date : $NOT_AFTER" + exit 1 +else + echo "OK : Certificate file expiry on $NOT_AFTER" + exit 0 +fi