Mirrors/Munin-Contrib
1
0
Fork 0
mirror of https://github.com/munin-monitoring/contrib.git synced 2025-07-21 18:41:03 +00:00
Code Issues Releases Wiki Activity

[ssl-certificate-expiry] add env.skip_cert_hashes to skip certificates

Browse source 
This fix allows to skip validity checks on any intermediate certificate
which subject hash appears in the list.

Let's Encrypt certificates are cross-signed by both DST Root CA X3 and
ISRG Root X1. DST Root CA X3 has expired on 2021-09-30 [0], which causes
the plugin to incorrectly report some full-chain LE certificates as
expired.

[0] https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Signed-off-by: Olivier Mehani <shtrom@ssji.net>
This commit is contained in:
Olivier Mehani 2022-01-01 05:26:58 +11:00 committed by GitHub
parent 02451d8f6e
commit 94066132ce
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
plugins/ssl/ssl-certificate-expiry
View file

@ -1,6 +1,6 @@
#!/bin/sh -u #!/bin/sh -u
# -*- sh -*- # -*- sh -*-
# shellcheck disable=SC2039 # shellcheck shell=dash
: << =cut : << =cut
@ -25,6 +25,7 @@ To set warning and critical levels do like this:
env.warning 30: env.warning 30:
env.proxy PROXYHOST:PORT # optional, enables openssl operation over proxy env.proxy PROXYHOST:PORT # optional, enables openssl operation over proxy
env.checkname yes # optional, checks if used servername is covered by certificate env.checkname yes # optional, checks if used servername is covered by certificate
env.skip_cert_hashes 2e5ac55d # optional, skip check of certs with those hashes (2e5ac55d is DST Root CA X3, cross-signing Let's Encrypt certs, but expiring on 2021-09-30)
Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows. Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
@ -58,19 +59,19 @@ uncached updates after the cache file is older than an hour.
=head1 AUTHORS =head1 AUTHORS
* Pactrick Domack (ssl_) * Pactrick Domack (ssl_)
* Olivier Mehani (ssl-certificate-expiry) * Olivier Mehani (ssl-certificate-expiry, skip_cert_hashes)
* Martin Schobert (check for intermediate certs) * Martin Schobert (check for intermediate certs)
* Arndt Kritzner (hostname verification and proxy usage) * Arndt Kritzner (hostname verification and proxy usage)
* Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com> * Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
* Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net> * Copyright (C) 2017, 2019, 2021 Olivier Mehani <shtrom+munin@ssji.net>
* Copyright (C) 2020 Martin Schobert <martin@schobert.cc> * Copyright (C) 2020 Martin Schobert <martin@schobert.cc>
=head1 LICENSE =head1 LICENSE
=cut =cut
# shellcheck disable=SC1090 # shellcheck disable=SC1091
. "${MUNIN_LIBDIR}/plugins/plugin.sh" . "${MUNIN_LIBDIR}/plugins/plugin.sh"
if [ "${MUNIN_DEBUG:-0}" = 1 ]; then if [ "${MUNIN_DEBUG:-0}" = 1 ]; then
@ -97,7 +98,13 @@ parse_valid_days_from_certificate() {
input_data=$(cat) input_data=$(cat)
if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
valid_until_string=$(echo "$input_data" | openssl x509 -noout -enddate \ cert_data=$(echo "$input_data" | openssl x509 -noout -subject_hash -enddate)
# Skip certificate if its hash is in env.skip_cert_hashes
hash="$(echo "${cert_data}" | head -n 1)"
echo "${skip_cert_hashes:-}" | grep -iqwF "${hash}" && return
valid_until_string=$(echo "$cert_data" \
| grep "^notAfter=" | cut -f 2 -d "=") | grep "^notAfter=" | cut -f 2 -d "=")
if [ -n "$valid_until_string" ]; then if [ -n "$valid_until_string" ]; then
# FreeBSD requires special arguments for "date" # FreeBSD requires special arguments for "date"