Check plugin for Icinga/Nagios to validate expiration date of a X509 SSL certificate file using OpenSSL
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

135 lines
3.6 KiB

#!/bin/bash
#
# Icinga/Nagios plugin to check X509 SSL certificate expiration date
# using OpenSSL.
#
# Usage: check_ssl_cert_file [options]
#
# Copyright (c) 2017 Benjamin Renard <brenard@easter-eggs.com>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3
# as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
DEBUG=0
FILE=""
WARN_LIMIT_DAYS=5
CRIT_LIMIT_DAYS=3
function usage() {
echo "Usage : $0 [cert file path]
-f [file] Specify certificate file path
-w [integer] Specify warning days limit
-c [integer] Specify critial days limit
-d Enable debug mode
-h Show this message"
}
function check_int() {
echo "$1"|grep -c '^[0-9]\+$'
}
while getopts "f:w:c:dh-:" OPTION
do
case "$OPTION" in
w)
WARN_LIMIT_DAYS="${OPTARG}"
[ $( check_int "$WARN_LIMIT_DAYS" ) -ne 1 ] && echo "UNKNOWN : Invalid -w parameter" && exit 3
;;
c)
CRIT_LIMIT_DAYS="${OPTARG}"
[ $( check_int "$CRIT_LIMIT_DAYS" ) -ne 1 ] && echo "UNKNOWN : Invalid -c parameter" && exit 3
;;
f)
FILE="${OPTARG}"
[ ! -e "$FILE" ] && echo "UNKNOWN : Invalid cert file path" && exit 3
;;
d)
DEBUG=1
;;
h)
usage
exit 0
;;
*)
echo "Invalid parameter -$OPTION"
echo
usage
exit 1
;;
esac
done
[ -z "$FILE" ] && usage && exit 3
let WARN_LIMIT=24*3600*WARN_LIMIT_DAYS
let CRIT_LIMIT=24*3600*CRIT_LIMIT_DAYS
OSSL_OUT=$( openssl x509 -text -noout -in "$FILE" 2> /dev/null )
if [ $? -ne 0 ]
then
echo "UNKNOWN : Fail to read certificate file with openssl"
exit 3
fi
[ $DEBUG -eq 1 ] && echo -e "OpenSSL output : $OSSL_OUT"
NOT_AFTER=$( echo -e "$OSSL_OUT"| grep 'Not After : '|sed 's/^.*Not After : //' )
if [ -z "$NOT_AFTER" ]
then
echo "UNKNOWN : Fail to detect expiration date in OpenSSL output"
exit 3
fi
[ $DEBUG -eq 1 ] && echo -e "Expiration date : $NOT_AFTER"
NOT_AFTER_TIME=$( date +%s -d "$NOT_AFTER" )
if [ $? -ne 0 ]
then
echo "UNKNOWN : Fail to convert expiration date to timestamp"
echo "Expiration date : $NOT_AFTER"
exit 3
fi
[ $DEBUG -eq 1 ] && echo -e "Expiration timestamp : $NOT_AFTER_TIME"
CUR_TIME=$( date +%s )
[ $DEBUG -eq 1 ] && echo -e "Current timestamp : $CUR_TIME"
if [ $CUR_TIME -ge $NOT_AFTER_TIME ]
then
echo "CRITICAL : Certificate file expiry since $NOT_AFTER"
exit 2
fi
let DIFF=NOT_AFTER_TIME-CUR_TIME
[ $DEBUG -eq 1 ] && echo -e "Diff time in seconds : $DIFF\nCritical/Warning limits : $CRIT_LIMIT / $WARN_LIMIT"
if [ $DIFF -le $CRIT_LIMIT ]
then
echo "CRITICAL : Certificate file expiry in less than $CRIT_LIMIT_DAYS day(s)"
echo "Expiration date : $NOT_AFTER"
exit 2
elif [ $DIFF -le $WARN_LIMIT ]
then
echo "WARNING : Certificate file expiry in less than $WARN_LIMIT_DAYS day(s)"
echo "Expiration date : $NOT_AFTER"
exit 1
else
echo "OK : Certificate file expiry on $NOT_AFTER"
exit 0
fi