root / plugins / ssl / certificate_file_expiry @ 9c995590
Historique | Voir | Annoter | Télécharger (2,46 ko)
| 1 |
#!/bin/sh |
|---|---|
| 2 |
: << =cut |
| 3 |
=head1 NAME |
| 4 |
|
| 5 |
certificate_file_expiry - check the certificate validity of your certificates |
| 6 |
|
| 7 |
= head1 CONFIGURATION |
| 8 |
|
| 9 |
Installing: Add list of your certificates prefixed by the type in munin plugin-conf.d |
| 10 |
|
| 11 |
For openvpn ca.crt and crl.pem |
| 12 |
|
| 13 |
[certificate_file_expiry] |
| 14 |
user root |
| 15 |
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt |
| 16 |
|
| 17 |
For letsencrypt certificates |
| 18 |
|
| 19 |
[certificate_file_expiry] |
| 20 |
user root |
| 21 |
env.CERTS x509:/etc/letsencrypt/live/*/cert.pem |
| 22 |
|
| 23 |
Warning and Critical levels can also be configured with env variables like this: |
| 24 |
|
| 25 |
[certificate_file_expiry] |
| 26 |
... |
| 27 |
# warn when certificate will be invalid within 5 days |
| 28 |
env.warning 5: |
| 29 |
# critical when certificate will be invalid within 1 day |
| 30 |
env.critical 1: |
| 31 |
|
| 32 |
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All types of |
| 33 |
certificates that openssl supports as standard commands and have a validity output are supported (e.g. x509, crl). |
| 34 |
File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files |
| 35 |
(e.g. /etc/letsencrypt/live/*/cert.pem). |
| 36 |
|
| 37 |
env.warning and env.critical are configurable values for the warning and critical levels according to |
| 38 |
http://munin-monitoring.org/wiki/fieldname.warning and http://munin-monitoring.org/wiki/fieldname.critical |
| 39 |
|
| 40 |
=head1 Dependencies |
| 41 |
|
| 42 |
Dependencies: openssl |
| 43 |
|
| 44 |
=head1 AUTHOR |
| 45 |
|
| 46 |
andreas perhab - andreas.perhab@wt-io-it.at (https://www.wt-io-it.at/) |
| 47 |
|
| 48 |
=head1 LICENSE |
| 49 |
|
| 50 |
GPLv2 |
| 51 |
|
| 52 |
=cut |
| 53 |
|
| 54 |
. "$MUNIN_LIBDIR/plugins/plugin.sh" |
| 55 |
|
| 56 |
if [ "$1" = "config" ] ; then |
| 57 |
echo "graph_title Certificate validity" |
| 58 |
echo "graph_args --logarithmic --base 1000" |
| 59 |
echo "graph_vlabel certificate validity in days" |
| 60 |
echo "graph_category security" |
| 61 |
fi |
| 62 |
|
| 63 |
now=$(date +%s) |
| 64 |
warning=${warning:-5:}
|
| 65 |
critical=${critical:-1:}
|
| 66 |
for cert in ${CERTS}; do
|
| 67 |
cert_type=${cert%:*}
|
| 68 |
cert_pattern=${cert#*:}
|
| 69 |
for cert_file in $cert_pattern; do |
| 70 |
cert_name=$(clean_fieldname "$cert_file") |
| 71 |
if [ "$1" = "config" ] ; then |
| 72 |
echo "${cert_name}.label ${cert_file}"
|
| 73 |
print_warning "$cert_name" |
| 74 |
print_critical "$cert_name" |
| 75 |
elif [ "$1" = "" ] ; then |
| 76 |
validity=$(/usr/bin/openssl "$cert_type" -text -noout -in "$cert_file" | grep -E '(Next Update|Not After)') |
| 77 |
validity=${validity#*:}
|
| 78 |
validity=$(date --date="$validity" +%s) |
| 79 |
validity=$((validity - now)) |
| 80 |
validity=$(echo "$validity" | awk '{ print ($1 / 86400) }')
|
| 81 |
echo "${cert_name}.value $validity"
|
| 82 |
fi |
| 83 |
done |
| 84 |
done |