Révision 94066132
[ssl-certificate-expiry] add env.skip_cert_hashes to skip certificates
This fix allows to skip validity checks on any intermediate certificate
which subject hash appears in the list.
Let's Encrypt certificates are cross-signed by both DST Root CA X3 and
ISRG Root X1. DST Root CA X3 has expired on 2021-09-30 [0], which causes
the plugin to incorrectly report some full-chain LE certificates as
expired.
[0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
Signed-off-by: Olivier Mehani <shtrom@ssji.net>
| plugins/ssl/ssl-certificate-expiry | ||
|---|---|---|
| 1 | 1 |
#!/bin/sh -u |
| 2 | 2 |
# -*- sh -*- |
| 3 |
# shellcheck disable=SC2039
|
|
| 3 |
# shellcheck shell=dash
|
|
| 4 | 4 |
|
| 5 | 5 |
: << =cut |
| 6 | 6 |
|
| ... | ... | |
| 25 | 25 |
env.warning 30: |
| 26 | 26 |
env.proxy PROXYHOST:PORT # optional, enables openssl operation over proxy |
| 27 | 27 |
env.checkname yes # optional, checks if used servername is covered by certificate |
| 28 |
env.skip_cert_hashes 2e5ac55d # optional, skip check of certs with those hashes (2e5ac55d is DST Root CA X3, cross-signing Let's Encrypt certs, but expiring on 2021-09-30) |
|
| 28 | 29 |
|
| 29 | 30 |
Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows. |
| 30 | 31 |
|
| ... | ... | |
| 58 | 59 |
=head1 AUTHORS |
| 59 | 60 |
|
| 60 | 61 |
* Pactrick Domack (ssl_) |
| 61 |
* Olivier Mehani (ssl-certificate-expiry) |
|
| 62 |
* Olivier Mehani (ssl-certificate-expiry, skip_cert_hashes)
|
|
| 62 | 63 |
* Martin Schobert (check for intermediate certs) |
| 63 | 64 |
* Arndt Kritzner (hostname verification and proxy usage) |
| 64 |
|
|
| 65 |
|
|
| 65 | 66 |
* Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com> |
| 66 |
* Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net> |
|
| 67 |
* Copyright (C) 2020 Martin Schobert <martin@schobert.cc>
|
|
| 67 |
* Copyright (C) 2017, 2019, 2021 Olivier Mehani <shtrom+munin@ssji.net>
|
|
| 68 |
* Copyright (C) 2020 Martin Schobert <martin@schobert.cc> |
|
| 68 | 69 |
|
| 69 | 70 |
=head1 LICENSE |
| 70 | 71 |
|
| 71 | 72 |
=cut |
| 72 | 73 |
|
| 73 |
# shellcheck disable=SC1090
|
|
| 74 |
# shellcheck disable=SC1091
|
|
| 74 | 75 |
. "${MUNIN_LIBDIR}/plugins/plugin.sh"
|
| 75 | 76 |
|
| 76 | 77 |
if [ "${MUNIN_DEBUG:-0}" = 1 ]; then
|
| ... | ... | |
| 97 | 98 |
input_data=$(cat) |
| 98 | 99 |
|
| 99 | 100 |
if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then |
| 100 |
valid_until_string=$(echo "$input_data" | openssl x509 -noout -enddate \ |
|
| 101 |
cert_data=$(echo "$input_data" | openssl x509 -noout -subject_hash -enddate) |
|
| 102 |
|
|
| 103 |
# Skip certificate if its hash is in env.skip_cert_hashes |
|
| 104 |
hash="$(echo "${cert_data}" | head -n 1)"
|
|
| 105 |
echo "${skip_cert_hashes:-}" | grep -iqwF "${hash}" && return
|
|
| 106 |
|
|
| 107 |
valid_until_string=$(echo "$cert_data" \ |
|
| 101 | 108 |
| grep "^notAfter=" | cut -f 2 -d "=") |
| 102 | 109 |
if [ -n "$valid_until_string" ]; then |
| 103 | 110 |
# FreeBSD requires special arguments for "date" |
Formats disponibles : Unified diff