diff --git a/plugins/ssl/ssl-certificate-expiry b/plugins/ssl/ssl-certificate-expiry index 7c69face..f338a8f5 100755 --- a/plugins/ssl/ssl-certificate-expiry +++ b/plugins/ssl/ssl-certificate-expiry @@ -1,11 +1,12 @@ -#!/bin/sh +#!/bin/sh -u # -*- sh -*- +# shellcheck disable=SC2039 : << =cut =head1 NAME -ssl-certificate-expiry - Plugin to monitor CERTificate expiration on multiple services and ports +ssl-certificate-expiry - Plugin to monitor Certificate expiration on multiple services and ports =head1 CONFIGURATION @@ -29,13 +30,30 @@ For example: ssl-certificate-expiry_192.0.2.42_636 ssl-certificate-expiry_2001:0DB8::badc:0fee_485 -=head1 AUTHOR +=head2 Cron setup -Pactrick Domack (ssl_) -Olivier Mehani (ssl-certificate-expiry) +To avoid having to run the SSL checks during the munin-update, it is possible +to run it from cron, and save a cachefile to be read during the update, This is +particularly useful when checking a large number of certificates, or when some +of the hosts are slow. -Copyright (C) 2013 Patrick Domack -Copyright (C) 2017 Olivier Mehani +To do so, add a cron job running the plugin with cron as the argument: + + * * * /usr/sbin/munin-run/ssl-certificate-expiry cron + + should be the user that has write permission to the MUNIN_PLUGSTATE. + should be a number between 0 and 59 when the check should run every hour. + +If, for any reason, the cron script stops running, the script will revert to +uncached updates after the cache file is older than an hour. + +=head1 AUTHORS + + * Pactrick Domack (ssl_) + * Olivier Mehani (ssl-certificate-expiry) + + * Copyright (C) 2013 Patrick Domack + * Copyright (C) 2017, 2019 Olivier Mehani =head1 LICENSE @@ -44,11 +62,12 @@ Copyright (C) 2017 Olivier Mehani # shellcheck disable=SC1090 . "${MUNIN_LIBDIR}/plugins/plugin.sh" -if [ "${MUNIN_DEBUG}" = 1 ]; then +if [ "${MUNIN_DEBUG:-0}" = 1 ]; then set -x fi HOSTPORT=${0##*ssl-certificate-expiry_} +CACHEFILE="${MUNIN_PLUGSTATE}/$(basename "${0}").cache" if [ "${HOSTPORT}" != "${0}" ] \ && [ ! -z "${HOSTPORT}" ]; then @@ -92,36 +111,50 @@ print_expire_days() { | parse_valid_days_from_certificate } +main() { + for service in $services; do + if echo "$service" | grep -q "_"; then + host=$(echo "$service" | cut -f 1 -d "_") + port=$(echo "$service" | cut -f 2 -d "_") + else + host=$service + port=443 + fi + fieldname="$(clean_fieldname "$service")" + valid_days=$(print_expire_days "$host" "$port") + [ -z "$valid_days" ] && valid_days="U" + printf "%s.value %s\\n" "$fieldname" "$valid_days" + echo "${fieldname}.extinfo Last checked: $(date)" + done +} -case $1 in +case ${1:-} in config) - echo "graph_title SSL Certificates Expiration" echo 'graph_args --base 1000' echo 'graph_vlabel days left' echo 'graph_category security' - echo "graph_info This graph shows the days left for the certificate" + echo "graph_info This graph shows the numbers of days before certificate expiry" for service in $services; do fieldname=$(clean_fieldname "$service") echo "${fieldname}.label $(echo "${service}" | sed 's/_/:/')" - print_thresholds "${fieldname}" + print_thresholds "${fieldname}" warning critical done + exit 0 + ;; + cron) + UPDATE="$(main)" + echo "${UPDATE}" > "${CACHEFILE}" + chmod 0644 "${CACHEFILE}" + exit 0 ;; esac +if [ -n "$(find "${CACHEFILE}" -mmin -60 2>/dev/null)" ]; then + cat "${CACHEFILE}" + exit 0 +fi -for service in $services; do - if echo "$service" | grep -q "_"; then - host=$(echo "$service" | cut -f 1 -d "_") - port=$(echo "$service" | cut -f 2 -d "_") - else - host=$service - port=443 - fi - fieldname="$(clean_fieldname "$service")" - valid_days=$(print_expire_days "$host" "$port") - [ -z "$valid_days" ] && valid_days="U" - printf "%s.value %s\n" "$fieldname" "$valid_days" -done +main