Merge pull request #994 from shtrom/ssl-certificate-expiry_cache

[ssl-certificate-expiry] Add asynchronous update via cron

plugins/ssl/ssl-certificate-expiry

@@ -1,11 +1,12 @@
-#!/bin/sh
+#!/bin/sh -u
 # -*- sh -*-
+# shellcheck disable=SC2039
 
 : << =cut
 
 =head1 NAME
 
-ssl-certificate-expiry - Plugin to monitor CERTificate expiration on multiple services and ports
+ssl-certificate-expiry - Plugin to monitor Certificate expiration on multiple services and ports
 
 =head1 CONFIGURATION
 
@@ -29,13 +30,30 @@ For example:
   ssl-certificate-expiry_192.0.2.42_636
   ssl-certificate-expiry_2001:0DB8::badc:0fee_485
 
-=head1 AUTHOR
+=head2 Cron setup
 
-Pactrick Domack (ssl_)
-Olivier Mehani (ssl-certificate-expiry)
+To avoid having to run the SSL checks during the munin-update, it is possible
+to run it from cron, and save a cachefile to be read during the update, This is
+particularly useful when checking a large number of certificates, or when some
+of the hosts are slow.
 
-Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
-Copyright (C) 2017 Olivier Mehani <shtrom+munin@ssji.net>
+To do so, add a cron job running the plugin with cron as the argument:
+
+  <minute> * * * <user> /usr/sbin/munin-run/ssl-certificate-expiry cron
+
+<user> should be the user that has write permission to the MUNIN_PLUGSTATE.
+<minute> should be a number between 0 and 59 when the check should run every hour.
+
+If, for any reason, the cron script stops running, the script will revert to
+uncached updates after the cache file is older than an hour.
+
+=head1 AUTHORS
+
+ * Pactrick Domack (ssl_)
+ * Olivier Mehani (ssl-certificate-expiry)
+
+ * Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
+ * Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net>
 
 =head1 LICENSE
 
@@ -44,11 +62,12 @@ Copyright (C) 2017 Olivier Mehani <shtrom+munin@ssji.net>
 # shellcheck disable=SC1090
 . "${MUNIN_LIBDIR}/plugins/plugin.sh"
 
-if [ "${MUNIN_DEBUG}" = 1 ]; then
+if [ "${MUNIN_DEBUG:-0}" = 1 ]; then
     set -x
 fi
 
 HOSTPORT=${0##*ssl-certificate-expiry_}
+CACHEFILE="${MUNIN_PLUGSTATE}/$(basename "${0}").cache"
 
 if [ "${HOSTPORT}" != "${0}" ] \
 	&& [ ! -z "${HOSTPORT}" ]; then
@@ -92,36 +111,50 @@ print_expire_days() {
         | parse_valid_days_from_certificate
 }
 
+main() {
+    for service in $services; do
+	if echo "$service" | grep -q "_"; then
+	    host=$(echo "$service" | cut -f 1 -d "_")
+	    port=$(echo "$service" | cut -f 2 -d "_")
+	else
+	    host=$service
+	    port=443
+	fi
+	fieldname="$(clean_fieldname "$service")"
+	valid_days=$(print_expire_days "$host" "$port")
+	[ -z "$valid_days" ] && valid_days="U"
+	printf "%s.value %s\\n" "$fieldname" "$valid_days"
+        echo "${fieldname}.extinfo Last checked: $(date)"
+    done
+}
 
-case $1 in
+case ${1:-} in
     config)
-
 	echo "graph_title SSL Certificates Expiration"
 	echo 'graph_args --base 1000'
 	echo 'graph_vlabel days left'
 	echo 'graph_category security'
-	echo "graph_info This graph shows the days left for the certificate"
+	echo "graph_info This graph shows the numbers of days before certificate expiry"
 	for service in $services; do
 	    fieldname=$(clean_fieldname "$service")
 	    echo "${fieldname}.label $(echo "${service}" | sed 's/_/:/')"
-	    print_thresholds "${fieldname}"
+	    print_thresholds "${fieldname}" warning critical
 	done
 
+	exit 0
+	;;
+    cron)
+	UPDATE="$(main)"
+	echo "${UPDATE}" > "${CACHEFILE}"
+	chmod 0644 "${CACHEFILE}"
+
 	exit 0
 	;;
 esac
 
+if [ -n "$(find "${CACHEFILE}" -mmin -60 2>/dev/null)" ]; then
+	cat "${CACHEFILE}"
+	exit 0
+fi
 
-for service in $services; do
-    if echo "$service" | grep -q "_"; then
-        host=$(echo "$service" | cut -f 1 -d "_")
-        port=$(echo "$service" | cut -f 2 -d "_")
-    else
-        host=$service
-        port=443
-    fi
-    fieldname="$(clean_fieldname "$service")"
-    valid_days=$(print_expire_days "$host" "$port")
-    [ -z "$valid_days" ] && valid_days="U"
-    printf "%s.value %s\n" "$fieldname" "$valid_days"
-done
+main