Révision c6590b67
letsencrypt_weekly: display by registered domain
| plugins/ssl/letsencrypt_weekly | ||
|---|---|---|
| 1 |
#!/bin/sh |
|
| 1 |
#!/bin/bash
|
|
| 2 | 2 |
: << =cut |
| 3 | 3 |
=head1 NAME |
| 4 | 4 |
|
| 5 | 5 |
letsencrypt_weekly - monitor the number of CSRs by week for /etc/letsencrypt/csr/ |
| 6 | 6 |
|
| 7 |
=head1 DESCRIPTION |
|
| 8 |
|
|
| 9 |
This plugin monitors the number of certificate signing requests (CSRs) done with letsencrypt's certbot. |
|
| 10 |
It tries to determine the registered domain and reports the number also per registered domain. |
|
| 11 |
For people running multiple servers this enables aggregation of those numbers across multiple nodes in the munin.conf |
|
| 12 |
|
|
| 7 | 13 |
see https://letsencrypt.org/docs/rate-limits/ |
| 8 | 14 |
|
| 9 |
= head1 CONFIGURATION
|
|
| 15 |
=head1 CONFIGURATION |
|
| 10 | 16 |
|
| 11 | 17 |
You can configure the warning and critical limits for this plugin: |
| 12 | 18 |
|
| 13 |
[letsencrypt_weekly] |
|
| 14 |
# warn when more than 40 certificates have been requested in the last week |
|
| 15 |
env.warning :40 |
|
| 16 |
# critical when more than 50 certificates have been requested in the last week |
|
| 17 |
env.critical :50 |
|
| 19 |
[letsencrypt_weekly] |
|
| 20 |
# run with a user that is able to read /etc/letsencrypt/csr/ files and at least list directories in |
|
| 21 |
# /etc/letsencrypt/archive/ |
|
| 22 |
user root |
|
| 23 |
# warn when more than 40 certificates have been requested in the last week |
|
| 24 |
env.warning :40 |
|
| 25 |
# critical when more than 50 certificates have been requested in the last week |
|
| 26 |
env.critical :50 |
|
| 27 |
|
|
| 28 |
=head1 AGGREGATION CONFIGURATION |
|
| 29 |
|
|
| 30 |
When you have multiple servers issuing certficates for the same registered domain you can aggregate the numbers with |
|
| 31 |
this config: |
|
| 32 |
|
|
| 33 |
[letsencrypt] |
|
| 34 |
update no |
|
| 35 |
contact no |
|
| 36 |
# summarize letsencrypt_weekly from all hosts |
|
| 37 |
# see http://guide.munin-monitoring.org/en/latest/example/graph/aggregated-stack.html#extract-from-munin-conf |
|
| 38 |
# see http://guide.munin-monitoring.org/en/latest/example/graph/aggregate.html#example-plugin-aggregate |
|
| 39 |
|
|
| 40 |
letsencrypt_weekly_example_com.update no |
|
| 41 |
letsencrypt_weekly_example_com.graph_args --base 1000 -l 0 |
|
| 42 |
letsencrypt_weekly_example_com.graph_category security |
|
| 43 |
letsencrypt_weekly_example_com.graph_period week |
|
| 44 |
letsencrypt_weekly_example_com.graph_title Letsencrypt example.com certificate requests |
|
| 45 |
letsencrypt_weekly_example_com.graph_vlabel requests / week |
|
| 46 |
letsencrypt_weekly_example_com.graph_scale no |
|
| 47 |
letsencrypt_weekly_example_com.graph_total Total |
|
| 48 |
letsencrypt_weekly_example_com.weekly.label Certificates for example.com |
|
| 49 |
letsencrypt_weekly_example_com.weekly.draw AREA |
|
| 50 |
letsencrypt_weekly_example_com.weekly.stack \ |
|
| 51 |
line1_name=example.com;line1-host-name.example.com:letsencrypt_weekly.example_com_weekly \ |
|
| 52 |
line2_name=example.com;line2-host-name.example.com:letsencrypt_weekly.example_com_weekly |
|
| 53 |
|
|
| 54 |
letsencrypt_renewal_weekly_example_com.update no |
|
| 55 |
letsencrypt_renewal_weekly_example_com.graph_args --base 1000 -l 0 |
|
| 56 |
letsencrypt_renewal_weekly_example_com.graph_category security |
|
| 57 |
letsencrypt_renewal_weekly_example_com.graph_period week |
|
| 58 |
letsencrypt_renewal_weekly_example_com.graph_title Letsencrypt example.com certificate renewal requests |
|
| 59 |
letsencrypt_renewal_weekly_example_com.graph_vlabel requests / week |
|
| 60 |
letsencrypt_renewal_weekly_example_com.graph_scale no |
|
| 61 |
letsencrypt_renewal_weekly_example_com.graph_total Total |
|
| 62 |
letsencrypt_renewal_weekly_example_com.weekly.label Certificate renewals for example.com |
|
| 63 |
letsencrypt_renewal_weekly_example_com.weekly.draw AREA |
|
| 64 |
letsencrypt_renewal_weekly_example_com.weekly.stack \ |
|
| 65 |
line1_name=example.com;line1-host-name.example.com:letsencrypt_weekly.example_com_renewal_weekly \ |
|
| 66 |
line2_name=example.com;line2-host-name.example.com:letsencrypt_weekly.example_com_renewal_weekly |
|
| 18 | 67 |
|
| 19 | 68 |
=head1 Dependencies |
| 20 | 69 |
|
| ... | ... | |
| 41 | 90 |
critical=${critical:-:50} #letsencrypt doesn't allow more than 50 certificates per week
|
| 42 | 91 |
# see https://letsencrypt.org/docs/rate-limits/ |
| 43 | 92 |
|
| 93 |
|
|
| 94 |
get_files_and_domains() {
|
|
| 95 |
find /etc/letsencrypt/csr/ -mtime -7 -type f -print0 2>/dev/null | xargs -0 -I pem bash -c 'echo -n "pem "; openssl req -in pem -text -noout | grep DNS: | sed "s/.*DNS://g"' |
|
| 96 |
} |
|
| 97 |
|
|
| 98 |
get_registered_domains() {
|
|
| 99 |
local REMOVE_PATH |
|
| 100 |
local TRIM_SUBDOMAIN |
|
| 101 |
REMOVE_PATH='s,.*/,,;' |
|
| 102 |
TRIM_SUBDOMAIN='s/.*\.\([a-z0-9-]\+\.[a-z]\+\)/\1/;' |
|
| 103 |
find /etc/letsencrypt/archive/ -mindepth 1 -maxdepth 1 | sed "$REMOVE_PATH $TRIM_SUBDOMAIN" | sort | uniq |
|
| 104 |
} |
|
| 105 |
|
|
| 44 | 106 |
if [ "$1" = "autoconf" ] ; then |
| 45 | 107 |
test -d /etc/letsencrypt/csr/ && echo "yes" || echo "no (directory /etc/letsencrypt/csr does not exist)" |
| 46 | 108 |
elif [ "$1" = "config" ] ; then |
| ... | ... | |
| 49 | 111 |
echo "graph_vlabel Number of certificates" |
| 50 | 112 |
echo "graph_category security" |
| 51 | 113 |
echo "letsencrypt_weekly.label Letsencrypt certificates last week" |
| 52 |
print_warning "letsencrypt_weekly" |
|
| 53 |
print_critical "letsencrypt_weekly" |
|
| 114 |
for domain in $(get_registered_domains); do |
|
| 115 |
key=${domain//[-.]/_}
|
|
| 116 |
echo "${key}_weekly.label $domain"
|
|
| 117 |
print_warning "${key}_weekly"
|
|
| 118 |
print_critical "${key}_weekly"
|
|
| 119 |
echo "${key}_renewal_weekly.label $domain renewals"
|
|
| 120 |
done |
|
| 54 | 121 |
elif [ "$1" = "" ] ; then |
| 55 |
if existing_certs=$(find /etc/letsencrypt/csr/ -mtime -7 -type f 2>/dev/null); then
|
|
| 56 |
value=$(echo "$existing_certs" | wc -l)
|
|
| 122 |
if existing_renewal_requests=$(get_files_and_domains); then
|
|
| 123 |
value=$(echo "$existing_renewal_requests" | grep -v '^$' -c)
|
|
| 57 | 124 |
else |
| 58 | 125 |
value="U" |
| 59 | 126 |
fi |
| 60 | 127 |
echo "letsencrypt_weekly.value $value" |
| 128 |
values="" |
|
| 129 |
for domain in $(get_registered_domains); do |
|
| 130 |
key=${domain//[-.]/_}
|
|
| 131 |
if [ "$values" != "" ] ; then |
|
| 132 |
values="$values\n${key}_weekly.value 0\n${key}_renewal_weekly.value 0"
|
|
| 133 |
else |
|
| 134 |
values="${key}_weekly.value 0\n${key}_renewal_weekly.value 0"
|
|
| 135 |
fi |
|
| 136 |
done |
|
| 137 |
while read -r file_domain; do |
|
| 138 |
file=${file_domain% *}
|
|
| 139 |
domain=${file_domain#* }
|
|
| 140 |
registered_domain_key=$(echo "$domain" | sed 's/.*\.\([a-z0-9-]\+\.[a-z]\+\)/\1/;s/[-.]/_/g') |
|
| 141 |
previous_certs=$(find "/etc/letsencrypt/archive/$domain" -name 'cert*.pem' -not -cnewer "$file" | wc -l) |
|
| 142 |
if [ "$previous_certs" -gt 0 ] ; then |
|
| 143 |
value_key="${registered_domain_key}_renewal_weekly.value "
|
|
| 144 |
else |
|
| 145 |
value_key="${registered_domain_key}_weekly.value "
|
|
| 146 |
fi |
|
| 147 |
old_value=$(echo -e "$values" | grep "$value_key" | sed 's/.* //g') |
|
| 148 |
value=$((old_value + 1)) |
|
| 149 |
values=${values//$value_key$old_value/$value_key$value}
|
|
| 150 |
done < <(get_files_and_domains) |
|
| 151 |
echo -e $"$values" |
|
| 61 | 152 |
fi |
Formats disponibles : Unified diff