From 470e837b26e1c0a54805f76911cef95d42eb8da4 Mon Sep 17 00:00:00 2001
From: HaseHarald <lookbehind@OWL-Soft.de>
Date: Sat, 26 Nov 2022 18:36:54 +0100
Subject: [PATCH] [ssl/ssl-certificate-expiry] Add configurable timeout

This should help with unreachable hosts, as the plugin can take more than
10 minutes to complete otherwise. These changes should be fully backwards
compatible, since the default is no timeout set, so it acts the same way
as before.

Changes:
- Introduce "timeout" configuration
- Only run timeout when configured
- Document usage of new configuration
---
 plugins/ssl/ssl-certificate-expiry | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/plugins/ssl/ssl-certificate-expiry b/plugins/ssl/ssl-certificate-expiry
index 029e7869..71951ae1 100755
--- a/plugins/ssl/ssl-certificate-expiry
+++ b/plugins/ssl/ssl-certificate-expiry
@@ -26,6 +26,7 @@ To set warning and critical levels do like this:
     env.proxy PROXYHOST:PORT          # optional, enables openssl operation over proxy
     env.checkname yes                 # optional, checks if used servername is covered by certificate
     env.skip_cert_hashes 2e5ac55d     # optional, skip check of certs with those hashes (2e5ac55d is DST Root CA X3, cross-signing Let's Encrypt certs, but expiring on 2021-09-30)
+    env.timeout 60s                   # optional, sets a timeout for openssl operations. This is useful when the remote server might not be available.
 
 Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
 
@@ -137,6 +138,12 @@ print_expire_days() {
     [ -n "${proxy:-}" ] && s_client_args="$s_client_args -proxy $proxy"
     [ -n "${checkname:-}" ] && [ "$checkname" = "yes" ] && s_client_args="$s_client_args -verify_hostname $host"
 
+    # If timeout is configured, setup the command to call.
+    # Use `--preserve-status` to still get the returncode of openssl, not the
+    # one of timeout.
+    local timeout_call=''
+    [ -n "${timeout:-}" ] && timeout_call="timeout --preserve-status ${timeout}"
+
     # We extract and check the server certificate,
     # but the end date also depends on intermediate certs. Therefore
     # we want to check intermediate certs as well.
@@ -155,7 +162,7 @@ print_expire_days() {
     # shellcheck disable=SC2086
     openssl_call="s_client -servername $host -connect ${host}:${port} -showcerts $s_client_args"
     # shellcheck disable=SC2086
-    openssl_response=$(echo "" | openssl ${openssl_call} 2>/dev/null)
+    openssl_response=$(echo "" | ${timeout_call} openssl ${openssl_call} 2>/dev/null)
     if echo "$openssl_response" | grep -qi "Hostname mismatch"; then
 	echo "<>"
     else