Révision d6d5fa80
Added plugins for certificates
- plugin to monitor certificiate lifetime
- plugin to monitor letsencrypt certificate issue limit
| plugins/ssl/certificate_file_expiry | ||
|---|---|---|
| 1 |
#!/bin/sh |
|
| 2 |
: << =cut |
|
| 3 |
=head1 NAME |
|
| 4 |
|
|
| 5 |
certficate_file_expiry - check the certificate validity of your certfificates |
|
| 6 |
|
|
| 7 |
= head1 CONFIGURATION |
|
| 8 |
|
|
| 9 |
Installing: Add list of your certificates prefixed by the type in munin plugin-conf.d |
|
| 10 |
|
|
| 11 |
For openvpn ca.crt and crl.pem |
|
| 12 |
[certficate_file_expiry] |
|
| 13 |
user root |
|
| 14 |
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt |
|
| 15 |
|
|
| 16 |
For letsencrypt certficates |
|
| 17 |
[certficate_file_expiry] |
|
| 18 |
user root |
|
| 19 |
env.CERTS x509:/etc/letsencrypt/live/domain1.example.com/cert.pem x509:/etc/letsencrypt/live/domain2.example.com/cert.pem |
|
| 20 |
|
|
| 21 |
Warning and Critical levels can also be configured with env variables like this |
|
| 22 |
[certficate_file_expiry] |
|
| 23 |
... |
|
| 24 |
# warn when certificate will be invalid within 5 days |
|
| 25 |
env.warning 5: |
|
| 26 |
# critical when certificate will be invalid within 1 day |
|
| 27 |
env.critical 1: |
|
| 28 |
|
|
| 29 |
=head1 Dependencies |
|
| 30 |
|
|
| 31 |
Dependencies: openssl |
|
| 32 |
|
|
| 33 |
=head1 AUTHOR |
|
| 34 |
|
|
| 35 |
andreas perhab - andreas.perhab@wt-io-it.at |
|
| 36 |
https://www.wt-io-it.at/ |
|
| 37 |
|
|
| 38 |
=head1 LICENSE |
|
| 39 |
|
|
| 40 |
GPLv2 |
|
| 41 |
|
|
| 42 |
=cut |
|
| 43 |
|
|
| 44 |
. "$MUNIN_LIBDIR/plugins/plugin.sh" |
|
| 45 |
|
|
| 46 |
if [ "$1" = "config" ] ; then |
|
| 47 |
echo "graph_title Certificate validity" |
|
| 48 |
echo "graph_args --logarithmic --base 1000" |
|
| 49 |
echo "graph_vlabel certificate validity in days" |
|
| 50 |
echo "graph_category security" |
|
| 51 |
fi |
|
| 52 |
|
|
| 53 |
now=$(date +%s) |
|
| 54 |
warning=${warning:-5:}
|
|
| 55 |
critical=${critical:-1:}
|
|
| 56 |
for cert in ${CERTS}; do
|
|
| 57 |
cert_type=${cert%:*}
|
|
| 58 |
cert_file=${cert#*:}
|
|
| 59 |
cert_name=$(clean_fieldname "$cert_file") |
|
| 60 |
if [ "$1" = "config" ] ; then |
|
| 61 |
echo "${cert_name}.label ${cert_file}"
|
|
| 62 |
print_warning "$cert_name" |
|
| 63 |
print_critical "$cert_name" |
|
| 64 |
elif [ "$1" = "" ] ; then |
|
| 65 |
validity=$(/usr/bin/openssl "$cert_type" -text -noout -in "$cert_file" | grep -E '(Next Update|Not After)') |
|
| 66 |
validity=${validity#*:}
|
|
| 67 |
validity=$(date --date="$validity" +%s) |
|
| 68 |
validity=$((validity - now)) |
|
| 69 |
validity=$(echo "$validity" | awk '{ print ($1 / 86400) }')
|
|
| 70 |
echo "${cert_name}.value $validity"
|
|
| 71 |
fi |
|
| 72 |
done |
|
| plugins/ssl/letsencrypt_weekly | ||
|---|---|---|
| 1 |
#!/bin/sh |
|
| 2 |
: << =cut |
|
| 3 |
=head1 NAME |
|
| 4 |
|
|
| 5 |
letsencrypt_weekly - monitor the number of CSRs by week for /etc/letsencrypt/csr/ |
|
| 6 |
|
|
| 7 |
see https://letsencrypt.org/docs/rate-limits/ |
|
| 8 |
|
|
| 9 |
= head1 CONFIGURATION |
|
| 10 |
|
|
| 11 |
You can configure the warning and critical limits for this plugin: |
|
| 12 |
|
|
| 13 |
[letsencrypt_weekly] |
|
| 14 |
# warn when more than 40 certificates have been requested in the last week |
|
| 15 |
env.warning :40 |
|
| 16 |
# critical when more than 50 certificates have been requested in the last week |
|
| 17 |
env.critical :50 |
|
| 18 |
|
|
| 19 |
=head1 Dependencies |
|
| 20 |
|
|
| 21 |
Dependencies: openssl |
|
| 22 |
|
|
| 23 |
=head1 AUTHOR |
|
| 24 |
|
|
| 25 |
andreas perhab - andreas.perhab@wt-io-it.at |
|
| 26 |
https://www.wt-io-it.at/ |
|
| 27 |
|
|
| 28 |
=head1 LICENSE |
|
| 29 |
|
|
| 30 |
GPLv2 |
|
| 31 |
|
|
| 32 |
=head1 MAGIC MARKERS |
|
| 33 |
|
|
| 34 |
#%# family=auto |
|
| 35 |
#%# capabilities=autoconf |
|
| 36 |
|
|
| 37 |
=cut |
|
| 38 |
|
|
| 39 |
. "$MUNIN_LIBDIR/plugins/plugin.sh" |
|
| 40 |
|
|
| 41 |
warning=${warning:-:40}
|
|
| 42 |
critical=${critical:-:50} #letsencrypt doesn't allow more than 50 certificates per week
|
|
| 43 |
# see https://letsencrypt.org/docs/rate-limits/ |
|
| 44 |
|
|
| 45 |
if [ "$1" = "autoconf" ] ; then |
|
| 46 |
test -d /etc/letsencrypt/csr/ && echo "yes" || echo "no (directory /etc/letsencrypt/csr does not exist)" |
|
| 47 |
elif [ "$1" = "config" ] ; then |
|
| 48 |
echo "graph_title Letsencrypt certificate requests during last week" |
|
| 49 |
echo "graph_args --base 1000" |
|
| 50 |
echo "graph_vlabel Number of certificates" |
|
| 51 |
echo "graph_category security" |
|
| 52 |
echo "letsencrypt_weekly.label Letsencrypt certificates last week" |
|
| 53 |
print_warning "letsencrypt_weekly" |
|
| 54 |
print_critical "letsencrypt_weekly" |
|
| 55 |
elif [ "$1" = "" ] ; then |
|
| 56 |
if existing_certs=$(find /etc/letsencrypt/csr/ -mtime -7 -type f 2>/dev/null); then |
|
| 57 |
value=$(echo "$existing_certs" | wc -l) |
|
| 58 |
else |
|
| 59 |
value="U" |
|
| 60 |
fi |
|
| 61 |
echo "letsencrypt_weekly.value $value" |
|
| 62 |
fi |
|
Formats disponibles : Unified diff