From a4c308081c26cfe48f15f0ce741b1bbbf55bc4fc Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Mon, 12 Jun 2017 20:57:27 +1000
Subject: [PATCH 1/7] [multi_ssl] New plugin showing multiple SSL Cert expiry
 in one graph

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/ssl/multi_ssl | 75 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)
 create mode 100755 plugins/ssl/multi_ssl

diff --git a/plugins/ssl/multi_ssl b/plugins/ssl/multi_ssl
new file mode 100755
index 00000000..89eae5e5
--- /dev/null
+++ b/plugins/ssl/multi_ssl
@@ -0,0 +1,75 @@
+#!/bin/bash
+# -*- sh -*-
+
+: << =cut
+
+=head1 NAME
+
+multi_ssl - Plugin to monitor CERTificate expiration on multiple services and ports
+
+=head1 CONFIGURATION
+
+  [multi_ssl_*]
+    env.services www.service.tld blah.example.net_PORT
+
+To set warning and critical levels do like this:
+
+  [multi_ssl]
+    env.services ...
+    env.warning 30:
+
+=head1 AUTHOR
+
+Pactrick Domack (ssl_)
+Olivier Mehani (multi_ssl)
+
+Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
+Copyright (C) 2017 Olivier Mehani <shtrom+munin@ssji.net>
+
+=head1 LICENSE
+
+=cut
+
+. "${MUNIN_LIBDIR}/plugins/plugin.sh"
+
+if [ "${MUNIN_DEBUG}" = 1 ]; then
+    set -x
+fi
+
+case $1 in
+    config)
+
+	echo "graph_title SSL Certificates Expiration"
+	echo 'graph_args --base 1000'
+	echo 'graph_vlabel days left'
+	echo 'graph_category security'
+	echo "graph_info This graph shows the days left for the certificate"
+	for service in $services; do
+	    fieldname=$(clean_fieldname "$service")
+	    echo "${fieldname}.label ${service/_/:}"
+	    print_thresholds ${fieldname}
+	done
+
+	exit 0
+	;;
+esac
+
+function get_expire()
+{
+    SITE="${1/_*/}"
+    PORT="${1##*_}"
+    VAR="$(clean_fieldname "$1")"
+    if [ "$PORT" = "$SITE" ]; then
+	PORT=443
+    fi
+
+    CERT=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
+
+    if [[ "${CERT}" = *"-----BEGIN CERTIFICATE-----"* ]]; then
+	echo "${CERT}" | openssl x509 -noout -enddate | awk -F= 'BEGIN { split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " "); for (i=1; i<=12; i++) mdigit[month[i]] = i; } /notAfter/ { split($0,a,"="); split(a[2],b," "); split(b[3],time,":"); datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3]; days=(mktime(datetime)-systime())/86400; print "VAR.value " days; }' | sed "s/VAR/${VAR}/g"
+    fi
+}
+
+for service in $services; do
+    get_expire "$service"
+done

From 91fe427bfc99089f86b84c018099c857c82ba7ee Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Fri, 16 Jun 2017 20:46:12 +1000
Subject: [PATCH 2/7] [ssl_/multi_ssl] More legible cert-parsing code

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/ssl/multi_ssl | 17 +++++++++++++++--
 plugins/ssl/ssl_      | 16 ++++++++++++++--
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/plugins/ssl/multi_ssl b/plugins/ssl/multi_ssl
index 89eae5e5..583a61f1 100755
--- a/plugins/ssl/multi_ssl
+++ b/plugins/ssl/multi_ssl
@@ -47,7 +47,7 @@ case $1 in
 	for service in $services; do
 	    fieldname=$(clean_fieldname "$service")
 	    echo "${fieldname}.label ${service/_/:}"
-	    print_thresholds ${fieldname}
+	    print_thresholds "${fieldname}"
 	done
 
 	exit 0
@@ -66,7 +66,20 @@ function get_expire()
     CERT=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
 
     if [[ "${CERT}" = *"-----BEGIN CERTIFICATE-----"* ]]; then
-	echo "${CERT}" | openssl x509 -noout -enddate | awk -F= 'BEGIN { split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " "); for (i=1; i<=12; i++) mdigit[month[i]] = i; } /notAfter/ { split($0,a,"="); split(a[2],b," "); split(b[3],time,":"); datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3]; days=(mktime(datetime)-systime())/86400; print "VAR.value " days; }' | sed "s/VAR/${VAR}/g"
+	echo "${CERT}" \
+		| openssl x509 -noout -enddate \
+		| awk -F= 'BEGIN {
+			split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " ");
+			for (i=1; i<=12; i++)
+				mdigit[month[i]] = i;
+		}
+		/notAfter/ {
+			split($0,a,"="); split(a[2],b," "); split(b[3],time,":");
+			datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3];
+			days=(mktime(datetime)-systime())/86400;
+			print "VAR.value " days;
+		}' \
+		| sed "s/VAR/${VAR}/g"
     fi
 }
 
diff --git a/plugins/ssl/ssl_ b/plugins/ssl/ssl_
index 1f666b07..76e7686f 100755
--- a/plugins/ssl/ssl_
+++ b/plugins/ssl/ssl_
@@ -26,7 +26,7 @@ Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
 
 =cut
 
-. $MUNIN_LIBDIR/plugins/plugin.sh
+. "$MUNIN_LIBDIR/plugins/plugin.sh"
 
 ARGS=${0##*ssl_}
 SITE=${ARGS/_*/}
@@ -54,5 +54,17 @@ esac
 cert=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
 
 if [[ "${cert}" = *"-----BEGIN CERTIFICATE-----"* ]]; then
-  echo "${cert}" | openssl x509 -noout -enddate | awk -F= 'BEGIN { split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " "); for (i=1; i<=12; i++) mdigit[month[i]] = i; } /notAfter/ { split($0,a,"="); split(a[2],b," "); split(b[3],time,":"); datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3]; days=(mktime(datetime)-systime())/86400; print "expire.value " days; }'
+	echo "${cert}" \
+		| openssl x509 -noout -enddate \
+		| awk -F= 'BEGIN {
+			split("Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec", month, " ");
+			for (i=1; i<=12; i++)
+				mdigit[month[i]] = i;
+		}
+		/notAfter/ {
+			split($0,a,"="); split(a[2],b," "); split(b[3],time,":");
+			datetime=b[4] " " mdigit[b[1]] " " b[2] " " time[1] " " time[2] " " time[3];
+			days=(mktime(datetime)-systime())/86400;
+			print "expire.value " days;
+		}'
 fi

From f31fe9a6c3962aa7c1f4b395d041adb2ff903c4f Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Fri, 16 Jun 2017 21:09:44 +1000
Subject: [PATCH 3/7] [multi-ssl] POSIX shell compatibility

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/ssl/multi_ssl | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/plugins/ssl/multi_ssl b/plugins/ssl/multi_ssl
index 583a61f1..7c348670 100755
--- a/plugins/ssl/multi_ssl
+++ b/plugins/ssl/multi_ssl
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 # -*- sh -*-
 
 : << =cut
@@ -9,7 +9,7 @@ multi_ssl - Plugin to monitor CERTificate expiration on multiple services and po
 
 =head1 CONFIGURATION
 
-  [multi_ssl_*]
+  [multi_ssl]
     env.services www.service.tld blah.example.net_PORT
 
 To set warning and critical levels do like this:
@@ -46,7 +46,7 @@ case $1 in
 	echo "graph_info This graph shows the days left for the certificate"
 	for service in $services; do
 	    fieldname=$(clean_fieldname "$service")
-	    echo "${fieldname}.label ${service/_/:}"
+	    echo "${fieldname}.label $(echo ${service} | sed 's/_/:/')"
 	    print_thresholds "${fieldname}"
 	done
 
@@ -54,10 +54,10 @@ case $1 in
 	;;
 esac
 
-function get_expire()
+get_expire()
 {
-    SITE="${1/_*/}"
-    PORT="${1##*_}"
+    SITE="$(echo ${1} | sed 's/_.*//')"
+    PORT="$(echo ${1} | sed 's/.*_//')"
     VAR="$(clean_fieldname "$1")"
     if [ "$PORT" = "$SITE" ]; then
 	PORT=443
@@ -65,7 +65,7 @@ function get_expire()
 
     CERT=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
 
-    if [[ "${CERT}" = *"-----BEGIN CERTIFICATE-----"* ]]; then
+    if echo "${CERT}" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
 	echo "${CERT}" \
 		| openssl x509 -noout -enddate \
 		| awk -F= 'BEGIN {

From 47ef218263b48615d9c01161ade029f2742046df Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Tue, 20 Jun 2017 21:14:24 +1000
Subject: [PATCH 4/7] [multi-ssl] Backward compatibility with ssl_

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/ssl/multi_ssl | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/plugins/ssl/multi_ssl b/plugins/ssl/multi_ssl
index 7c348670..dac068a4 100755
--- a/plugins/ssl/multi_ssl
+++ b/plugins/ssl/multi_ssl
@@ -10,7 +10,7 @@ multi_ssl - Plugin to monitor CERTificate expiration on multiple services and po
 =head1 CONFIGURATION
 
   [multi_ssl]
-    env.services www.service.tld blah.example.net_PORT
+    env.services www.service.tld blah.example.net:PORT
 
 To set warning and critical levels do like this:
 
@@ -18,6 +18,17 @@ To set warning and critical levels do like this:
     env.services ...
     env.warning 30:
 
+Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
+
+  multi_ssl_HOST:PORT
+
+For example:
+
+  multi_ssl_www.example.net
+  multi_ssl_www.example.org_443
+  multi_ssl_192.0.2.42_636
+  multi_ssl_2001:0DB8::badc:0fee_485
+
 =head1 AUTHOR
 
 Pactrick Domack (ssl_)
@@ -36,6 +47,13 @@ if [ "${MUNIN_DEBUG}" = 1 ]; then
     set -x
 fi
 
+HOSTPORT=${0##*multi_ssl_}
+
+if [ "${HOSTPORT}" != "${0}" ] \
+	&& [ ! -z "${HOSTPORT}" ]; then
+	services="${HOSTPORT}"
+fi
+
 case $1 in
     config)
 
@@ -46,7 +64,7 @@ case $1 in
 	echo "graph_info This graph shows the days left for the certificate"
 	for service in $services; do
 	    fieldname=$(clean_fieldname "$service")
-	    echo "${fieldname}.label $(echo ${service} | sed 's/_/:/')"
+	    echo "${fieldname}.label $(echo "${service}" | sed 's/_/:/')"
 	    print_thresholds "${fieldname}"
 	done
 
@@ -56,12 +74,16 @@ esac
 
 get_expire()
 {
-    SITE="$(echo ${1} | sed 's/_.*//')"
-    PORT="$(echo ${1} | sed 's/.*_//')"
+    SITE="$(echo "${1}" | sed 's/_.*//')"
+    PORT="$(echo "${1}" | sed 's/.*_//')"
+
     VAR="$(clean_fieldname "$1")"
     if [ "$PORT" = "$SITE" ]; then
 	PORT=443
     fi
+    if echo "$SITE" | grep -q ':'; then
+        SITE="[${SITE}]"
+    fi
 
     CERT=$(echo "" | openssl s_client -CApath /etc/ssl/certs -servername "${SITE}" -connect "${SITE}:${PORT}" 2>/dev/null);
 

From 21cc6fc4581859adbf1266067f8accf01ea687df Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Tue, 20 Jun 2017 21:15:17 +1000
Subject: [PATCH 5/7] [ssl-certificate-expiry] Rename from multi_ssl

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/ssl/{multi_ssl => ssl-certificate-expiry} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename plugins/ssl/{multi_ssl => ssl-certificate-expiry} (100%)

diff --git a/plugins/ssl/multi_ssl b/plugins/ssl/ssl-certificate-expiry
similarity index 100%
rename from plugins/ssl/multi_ssl
rename to plugins/ssl/ssl-certificate-expiry

From 332396976bd2ae9178627b553a99a079e9135320 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Wed, 21 Jun 2017 21:32:48 +1000
Subject: [PATCH 6/7] fixup! [multi-ssl] Backward compatibility with ssl_

---
 plugins/ssl/ssl-certificate-expiry | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/plugins/ssl/ssl-certificate-expiry b/plugins/ssl/ssl-certificate-expiry
index dac068a4..1d82558b 100755
--- a/plugins/ssl/ssl-certificate-expiry
+++ b/plugins/ssl/ssl-certificate-expiry
@@ -10,7 +10,7 @@ multi_ssl - Plugin to monitor CERTificate expiration on multiple services and po
 =head1 CONFIGURATION
 
   [multi_ssl]
-    env.services www.service.tld blah.example.net:PORT
+    env.services www.service.tld blah.example.net_PORT
 
 To set warning and critical levels do like this:
 
@@ -20,7 +20,7 @@ To set warning and critical levels do like this:
 
 Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
 
-  multi_ssl_HOST:PORT
+  multi_ssl_HOST_PORT
 
 For example:
 
@@ -82,6 +82,7 @@ get_expire()
 	PORT=443
     fi
     if echo "$SITE" | grep -q ':'; then
+	# Wrap IPv6 addresses in square brackets
         SITE="[${SITE}]"
     fi
 

From 81e1966814ca87a59824dfc1a8632f4da460f878 Mon Sep 17 00:00:00 2001
From: Olivier Mehani <shtrom@ssji.net>
Date: Sun, 23 Jul 2017 13:19:40 +1000
Subject: [PATCH 7/7] [ssl] Remove legacy ssl, and replacement
 ssl-certificate-expiry

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
---
 plugins/ssl/ssl-certificate-expiry | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/plugins/ssl/ssl-certificate-expiry b/plugins/ssl/ssl-certificate-expiry
index 1d82558b..9295380a 100755
--- a/plugins/ssl/ssl-certificate-expiry
+++ b/plugins/ssl/ssl-certificate-expiry
@@ -5,34 +5,34 @@
 
 =head1 NAME
 
-multi_ssl - Plugin to monitor CERTificate expiration on multiple services and ports
+ssl-certificate-expiry - Plugin to monitor CERTificate expiration on multiple services and ports
 
 =head1 CONFIGURATION
 
-  [multi_ssl]
+  [ssl-certificate-expiry]
     env.services www.service.tld blah.example.net_PORT
 
 To set warning and critical levels do like this:
 
-  [multi_ssl]
+  [ssl-certificate-expiry]
     env.services ...
     env.warning 30:
 
 Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
 
-  multi_ssl_HOST_PORT
+  ssl-certificate-expiry_HOST_PORT
 
 For example:
 
-  multi_ssl_www.example.net
-  multi_ssl_www.example.org_443
-  multi_ssl_192.0.2.42_636
-  multi_ssl_2001:0DB8::badc:0fee_485
+  ssl-certificate-expiry_www.example.net
+  ssl-certificate-expiry_www.example.org_443
+  ssl-certificate-expiry_192.0.2.42_636
+  ssl-certificate-expiry_2001:0DB8::badc:0fee_485
 
 =head1 AUTHOR
 
 Pactrick Domack (ssl_)
-Olivier Mehani (multi_ssl)
+Olivier Mehani (ssl-certificate-expiry)
 
 Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
 Copyright (C) 2017 Olivier Mehani <shtrom+munin@ssji.net>
@@ -47,7 +47,7 @@ if [ "${MUNIN_DEBUG}" = 1 ]; then
     set -x
 fi
 
-HOSTPORT=${0##*multi_ssl_}
+HOSTPORT=${0##*ssl-certificate-expiry_}
 
 if [ "${HOSTPORT}" != "${0}" ] \
 	&& [ ! -z "${HOSTPORT}" ]; then