Mirrors/Munin-Contrib
1
0
Fork 0
mirror of https://github.com/munin-monitoring/contrib.git synced 2025-07-21 18:41:03 +00:00
Code Issues Releases Wiki Activity

[ssl/ssl-certificate-expiry] Add configurable timeout

Browse source 
This should help with unreachable hosts, as the plugin can take more than
10 minutes to complete otherwise. These changes should be fully backwards
compatible, since the default is no timeout set, so it acts the same way
as before.

Changes:
- Introduce "timeout" configuration
- Only run timeout when configured
- Document usage of new configuration
This commit is contained in:
HaseHarald 2022-11-26 18:36:54 +01:00 committed by Kenyon Ralph
parent 59bb8555db
commit 470e837b26
1 changed files with 8 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

9
plugins/ssl/ssl-certificate-expiry
View file

@ -26,6 +26,7 @@ To set warning and critical levels do like this:
env.proxy PROXYHOST:PORT # optional, enables openssl operation over proxy
env.checkname yes # optional, checks if used servername is covered by certificate
env.skip_cert_hashes 2e5ac55d # optional, skip check of certs with those hashes (2e5ac55d is DST Root CA X3, cross-signing Let's Encrypt certs, but expiring on 2021-09-30)
env.timeout 60s # optional, sets a timeout for openssl operations. This is useful when the remote server might not be available.
Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
@ -137,6 +138,12 @@ print_expire_days() {
[ -n "${proxy:-}" ] && s_client_args="$s_client_args -proxy $proxy"
[ -n "${checkname:-}" ] && [ "$checkname" = "yes" ] && s_client_args="$s_client_args -verify_hostname $host"
# If timeout is configured, setup the command to call.
# Use `--preserve-status` to still get the returncode of openssl, not the
# one of timeout.
local timeout_call=''
[ -n "${timeout:-}" ] && timeout_call="timeout --preserve-status ${timeout}"
# We extract and check the server certificate,
# but the end date also depends on intermediate certs. Therefore
# we want to check intermediate certs as well.
@ -155,7 +162,7 @@ print_expire_days() {
# shellcheck disable=SC2086
openssl_call="s_client -servername $host -connect ${host}:${port} -showcerts $s_client_args"
# shellcheck disable=SC2086
openssl_response=$(echo "" | openssl ${openssl_call} 2>/dev/null)
openssl_response=$(echo "" | ${timeout_call} openssl ${openssl_call} 2>/dev/null)
if echo "$openssl_response" | grep -qi "Hostname mismatch"; then
echo "<>"
else