#!/bin/bash # # Icinga/Nagios plugin to check X509 SSL certificate expiration date # using OpenSSL. # # Usage: check_ssl_cert_file [options] # # Copyright (c) 2017 Benjamin Renard # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License version 3 # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. # DEBUG=0 FILE="" WARN_LIMIT_DAYS=5 CRIT_LIMIT_DAYS=3 function usage() { echo "Usage : $0 [cert file path] -f [file] Specify certificate file path -w [integer] Specify warning days limit -c [integer] Specify critial days limit -d Enable debug mode -h Show this message" } function check_int() { echo "$1"|grep -c '^[0-9]\+$' } while getopts "f:w:c:dh-:" OPTION do case "$OPTION" in w) WARN_LIMIT_DAYS="${OPTARG}" [ $( check_int "$WARN_LIMIT_DAYS" ) -ne 1 ] && echo "UNKNOWN : Invalid -w parameter" && exit 3 ;; c) CRIT_LIMIT_DAYS="${OPTARG}" [ $( check_int "$CRIT_LIMIT_DAYS" ) -ne 1 ] && echo "UNKNOWN : Invalid -c parameter" && exit 3 ;; f) FILE="${OPTARG}" [ ! -e "$FILE" ] && echo "UNKNOWN : Invalid cert file path" && exit 3 ;; d) DEBUG=1 ;; h) usage exit 0 ;; *) echo "Invalid parameter -$OPTION" echo usage exit 1 ;; esac done [ -z "$FILE" ] && usage && exit 3 let WARN_LIMIT=24*3600*WARN_LIMIT_DAYS let CRIT_LIMIT=24*3600*CRIT_LIMIT_DAYS OSSL_OUT=$( openssl x509 -text -noout -in "$FILE" 2> /dev/null ) if [ $? -ne 0 ] then echo "UNKNOWN : Fail to read certificate file with openssl" exit 3 fi [ $DEBUG -eq 1 ] && echo -e "OpenSSL output : $OSSL_OUT" NOT_AFTER=$( echo -e "$OSSL_OUT"| grep 'Not After : '|sed 's/^.*Not After : //' ) if [ -z "$NOT_AFTER" ] then echo "UNKNOWN : Fail to detect expiration date in OpenSSL output" exit 3 fi [ $DEBUG -eq 1 ] && echo -e "Expiration date : $NOT_AFTER" NOT_AFTER_TIME=$( date +%s -d "$NOT_AFTER" ) if [ $? -ne 0 ] then echo "UNKNOWN : Fail to convert expiration date to timestamp" echo "Expiration date : $NOT_AFTER" exit 3 fi [ $DEBUG -eq 1 ] && echo -e "Expiration timestamp : $NOT_AFTER_TIME" CUR_TIME=$( date +%s ) [ $DEBUG -eq 1 ] && echo -e "Current timestamp : $CUR_TIME" if [ $CUR_TIME -ge $NOT_AFTER_TIME ] then echo "CRITICAL : Certificate file expiry since $NOT_AFTER" exit 2 fi let DIFF=NOT_AFTER_TIME-CUR_TIME [ $DEBUG -eq 1 ] && echo -e "Diff time in seconds : $DIFF\nCritical/Warning limits : $CRIT_LIMIT / $WARN_LIMIT" if [ $DIFF -le $CRIT_LIMIT ] then echo "CRITICAL : Certificate file expiry in less than $CRIT_LIMIT_DAYS day(s)" echo "Expiration date : $NOT_AFTER" exit 2 elif [ $DIFF -le $WARN_LIMIT ] then echo "WARNING : Certificate file expiry in less than $WARN_LIMIT_DAYS day(s)" echo "Expiration date : $NOT_AFTER" exit 1 else echo "OK : Certificate file expiry on $NOT_AFTER" exit 0 fi