mirror of
https://github.com/munin-monitoring/contrib.git
synced 2025-07-21 18:41:03 +00:00
certificate_file_expiry: enable checking openvpn in config certificates
This commit is contained in:
Andreas Perhab
parent
f0d5df2902
commit
4b8b098288
1 changed files with 63 additions and 14 deletions
|
|
@ -15,6 +15,14 @@ For openvpn ca.crt and crl.pem
|
||||||
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt
|
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt
|
||||||
env.LOGARITHMIC yes
|
env.LOGARITHMIC yes
|
||||||
|
|
||||||
|
For openvpn inline <ca> and <cert> certificates, as described here
|
||||||
|
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage#lbAV
|
||||||
|
|
||||||
|
[certificate_file_expiry]
|
||||||
|
user root
|
||||||
|
env.CERTS openvpn_inline:/etc/openvpn/client.conf
|
||||||
|
env.LOGARITHMIC yes
|
||||||
|
|
||||||
For letsencrypt certificates
|
For letsencrypt certificates
|
||||||
|
|
||||||
[certificate_file_expiry]
|
[certificate_file_expiry]
|
||||||
|
|
@ -32,8 +40,11 @@ Warning and Critical levels can also be configured with env variables like this:
|
||||||
# critical when certificate will be invalid within 1 day
|
# critical when certificate will be invalid within 1 day
|
||||||
env.critical 1:
|
env.critical 1:
|
||||||
|
|
||||||
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All types of
|
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All
|
||||||
certificates that openssl supports as standard commands and have a validity output are supported (e.g. x509, crl).
|
types of certificates that openssl supports as standard commands and have a validity output are supported
|
||||||
|
(e.g. x509, crl).
|
||||||
|
A special type is openvpn_inline where the plugin gets the certificates directly from the openvpn conf file in between
|
||||||
|
the <ca>\n...\n</ca> and <cert>\n...\n</cert> lines and checks those with openssl x509.
|
||||||
File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files
|
File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files
|
||||||
(e.g. /etc/letsencrypt/live/*/cert.pem).
|
(e.g. /etc/letsencrypt/live/*/cert.pem).
|
||||||
|
|
||||||
|
|
@ -78,22 +89,60 @@ warning=${warning:-5:}
|
||||||
critical=${critical:-1:}
|
critical=${critical:-1:}
|
||||||
|
|
||||||
now=$(date +%s)
|
now=$(date +%s)
|
||||||
|
get_validity() {
|
||||||
|
local file
|
||||||
|
local openssl_type
|
||||||
|
local validity_line
|
||||||
|
local validity_str_value
|
||||||
|
local validity_timestamp
|
||||||
|
local validity_seconds
|
||||||
|
openssl_type=$1
|
||||||
|
file=$2
|
||||||
|
if [ "$file" != "-" ] ; then
|
||||||
|
validity_line=$(/usr/bin/openssl "$openssl_type" -text -noout -in "$file" | grep -E '(Next Update|Not After)')
|
||||||
|
else
|
||||||
|
# when file is set to -- read from stdin
|
||||||
|
validity_line=$(/usr/bin/openssl "$openssl_type" -text -noout | grep -E '(Next Update|Not After)')
|
||||||
|
fi
|
||||||
|
validity_str_value=${validity_line#*:}
|
||||||
|
validity_timestamp=$(date --date="$validity_str_value" +%s)
|
||||||
|
validity_seconds=$((validity_timestamp - now))
|
||||||
|
echo "$validity_seconds" | awk '{ print ($1 / 86400) }'
|
||||||
|
}
|
||||||
|
print_config_lines() {
|
||||||
|
name=$1
|
||||||
|
label=$2
|
||||||
|
echo "${name}.label ${label}"
|
||||||
|
print_warning "$name"
|
||||||
|
print_critical "$name"
|
||||||
|
}
|
||||||
|
get_openvpn_inline_cert() {
|
||||||
|
file=$1
|
||||||
|
type=$2
|
||||||
|
# print content between <type> and </type> lines (ca and cert)
|
||||||
|
awk 'BEGIN{content=0}/^<\/'"$type"'>$/{content=0}(content==1){ print $0 }/^<'"$type"'>$/{content=1}' < "$file"
|
||||||
|
}
|
||||||
|
|
||||||
for cert in ${CERTS}; do
|
for cert in ${CERTS}; do
|
||||||
cert_type=${cert%:*}
|
cert_type=${cert%:*}
|
||||||
cert_pattern=${cert#*:}
|
cert_pattern=${cert#*:}
|
||||||
for cert_file in $cert_pattern; do
|
for cert_file in $cert_pattern; do
|
||||||
cert_name=$(clean_fieldname "$cert_file")
|
if [ "$cert_type" = "openvpn_inline" ] ; then
|
||||||
if [ "$1" = "config" ] ; then
|
for type in "ca" "cert"; do
|
||||||
echo "${cert_name}.label ${cert_file}"
|
cert_name=$(clean_fieldname "$cert_file-$type")
|
||||||
print_warning "$cert_name"
|
if [ "$1" = "config" ] ; then
|
||||||
print_critical "$cert_name"
|
print_config_lines "$cert_name" "${cert_file} ${type}"
|
||||||
elif [ "$1" = "" ] ; then
|
elif [ "$1" = "" ] ; then
|
||||||
validity=$(/usr/bin/openssl "$cert_type" -text -noout -in "$cert_file" | grep -E '(Next Update|Not After)')
|
echo "${cert_name}.value $(get_openvpn_inline_cert "$cert_file" "$type" | get_validity "x509" "-")"
|
||||||
validity=${validity#*:}
|
fi
|
||||||
validity=$(date --date="$validity" +%s)
|
done
|
||||||
validity=$((validity - now))
|
else
|
||||||
validity=$(echo "$validity" | awk '{ print ($1 / 86400) }')
|
cert_name=$(clean_fieldname "$cert_file")
|
||||||
echo "${cert_name}.value $validity"
|
if [ "$1" = "config" ] ; then
|
||||||
|
print_config_lines "$cert_name" "${cert_file}"
|
||||||
|
elif [ "$1" = "" ] ; then
|
||||||
|
echo "${cert_name}.value $(get_validity "$cert_type" "$cert_file")"
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
done
|
done
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue