-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheck_certs_folder.sh
71 lines (53 loc) · 2.63 KB
/
check_certs_folder.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/bin/bash
# check all certificates one or more FOLDERs for is validity, similar to the check_http certificate check.
# nice-to-have for openvpn certificate monitoring, FOLDERs with certs in general (e.g. easy-rsa)
# there will be a separated check for each FOLDER summarizing all certs while showing certs in WARN / CRIT STATE as well as the one closest to its expiry date
WARN_DAYS=28 #threshold for WARNING STATE
CRIT_DAYS=14 #threshold for CRITICAL STATE
# Configure the FOLDERs at the very bottom!
####
function check_certs_in_FOLDER {
# Reset these variables to be clear to run this multiple times without the data from last function call
leastexpirationdate=0
leastexpirationcert=""
DESCRIPTION=""
STATE=0
##
FOLDER=$(basename -- $1) # get folder path from complete path (used as name for the service in Check_MK)
for TARGET in $1/*.crt; do
FILENAME=$(basename -- $TARGET)
# Parse the Certifiate
expirationdate=$(date -d "$(: | openssl x509 -in $TARGET -text -noout | grep 'Not After' |awk '{print $4,$5,$7}')" '+%s');
inwarndays=$(($(date +%s) + (86400*$WARN_DAYS)));
incritdays=$(($(date +%s) + (86400*$CRIT_DAYS)));
if [ $leastexpirationdate -gt $expirationdate ] || [ $leastexpirationdate -eq 0 ]; then
leastexpirationdate=$expirationdate
leastexpirationcert=$FILENAME
fi
expirydays=$(( ($expirationdate-$(date +%s)) /86400))
#echo "$TARGET $expirydays"
if [ $(date +%s) -gt $expirationdate ]; then
STATE=2
DESCRIPTION="$DESCRIPTION $FILENAME has already expired!"
elif [ $incritdays -gt $expirationdate ]; then
STATE=2
DESCRIPTION="$DESCRIPTION $FILENAME expires in $expirydays Days,"
elif [ $inwarndays -gt $expirationdate ]; then
if [ $STATE -eq 0 ]; then STATE=1; fi #Set WARN state only if it was OKAY before to prevent overriding CRITICAL with WARNING
DESCRIPTION="$DESCRIPTION $FILENAME expires in $expirydays Days,"
elif [ $inwarndays -lt $expirationdate ]; then
:
else #Set unknown and exit if output is garbage
STATE=3
exit
fi
done
if [ $STATE -eq 0 ]; then
DESCRIPTION="All certs in FOLDER $1 are valid, $leastexpirationcert will expire next in $expirydays days ($(date -d @$expirationdate '+%Y-%m-%d'))"
fi
# Finally Check_MK output
echo "$STATE SSL-Certs_$FOLDER - $DESCRIPTION"
}
# define you FOLDERs here - currently .crt-files only to exclude private keys if existing
#check_certs_in_FOLDER "/some/path"
#check_certs_in_FOLDER "/some/other/path"