Mirrors/Munin-Contrib
1
0
Fork 0
mirror of https://github.com/munin-monitoring/contrib.git synced 2025-07-22 02:51:03 +00:00
Code Issues Releases Wiki Activity

ssl-certificate-expiry: Feature added: checking intermediate certs as well (#1088)

Browse source
This commit is contained in:
Martin Schobert 2020-09-06 22:19:12 +02:00 committed by GitHub
parent 81bdedaf42
commit bba98f95b3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 30 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

30
plugins/ssl/ssl-certificate-expiry
View file

@ -57,9 +57,11 @@ uncached updates after the cache file is older than an hour.
* Pactrick Domack (ssl_) * Pactrick Domack (ssl_)
* Olivier Mehani (ssl-certificate-expiry) * Olivier Mehani (ssl-certificate-expiry)
* Martin Schobert (check for intermediate certs)
* Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com> * Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
* Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net> * Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net>
* Copyright (C) 2020 Martin Schobert <martin@schobert.cc>
=head1 LICENSE =head1 LICENSE
@ -90,6 +92,7 @@ parse_valid_days_from_certificate() {
local now_epoch local now_epoch
local input_data local input_data
input_data=$(cat) input_data=$(cat)
if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
valid_until_string=$(echo "$input_data" | openssl x509 -noout -enddate \ valid_until_string=$(echo "$input_data" | openssl x509 -noout -enddate \
| grep "^notAfter=" | cut -f 2 -d "=") | grep "^notAfter=" | cut -f 2 -d "=")
@ -122,11 +125,34 @@ print_expire_days() {
local s_client_args= local s_client_args=
[ -n "$starttls" ] && s_client_args="-starttls $starttls" [ -n "$starttls" ] && s_client_args="-starttls $starttls"
# We extract and check the server certificate,
# but the end date also depends on intermediate certs. Therefore
# we want to check intermediate certs as well.
#
# The following cryptic lines do:
# - invoke openssl and connect to a port
# - print certs, not only the server cert
# - extract each certificate as a single line
# - pipe each cert to the parse_valid_days_from_certificate
# function, which basically is 'openssl x509 -enddate'
# - get a list of the parse_valid_days_from_certificate
# results and sort them
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo "" | openssl s_client \ echo "" | openssl s_client \
-servername "$host" -connect "${host}:${port}" \ -servername "$host" -connect "${host}:${port}" \
$s_client_args 2>/dev/null \ -showcerts \
| parse_valid_days_from_certificate $s_client_args 2>/dev/null | \
awk '{
if ($0 == "-----BEGIN CERTIFICATE-----") cert=""
else if ($0 == "-----END CERTIFICATE-----") print cert
else cert=cert$0
}' | \
while read -r CERT; do
(printf '\n-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "$CERT") | \
parse_valid_days_from_certificate
done | sort -n | head -n 1
} }
main() { main() {