mirror of
https://github.com/munin-monitoring/contrib.git
synced 2025-07-21 18:41:03 +00:00
76170d2745
logarithmic was removed in d885a314ad
but still has it's benefits for openvpn CA and CRL certs. when enabling
logarithmic we keep the SI units now instead of rrdtools default
scientific notation.
94 lines
3 KiB
Bash
Executable file
94 lines
3 KiB
Bash
Executable file
#!/bin/sh
|
|
: << =cut
|
|
=head1 NAME
|
|
|
|
certificate_file_expiry - check the certificate validity of your certificates
|
|
|
|
= head1 CONFIGURATION
|
|
|
|
Installing: Add list of your certificates prefixed by the type in munin plugin-conf.d
|
|
|
|
For openvpn ca.crt and crl.pem
|
|
|
|
[certificate_file_expiry]
|
|
user root
|
|
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt
|
|
env.LOGARITHMIC yes
|
|
|
|
For letsencrypt certificates
|
|
|
|
[certificate_file_expiry]
|
|
user root
|
|
env.CERTS x509:/etc/letsencrypt/live/*/cert.pem
|
|
|
|
Warning and Critical levels can also be configured with env variables like this:
|
|
|
|
[certificate_file_expiry]
|
|
...
|
|
# warn when certificate will be invalid within 5 days
|
|
env.warning 5:
|
|
# for this certificate warn us 10 days before because it takes longer to renew
|
|
env._etc_letsencrypt_live_example_com_cert_pem_warning 10:
|
|
# critical when certificate will be invalid within 1 day
|
|
env.critical 1:
|
|
|
|
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All types of
|
|
certificates that openssl supports as standard commands and have a validity output are supported (e.g. x509, crl).
|
|
File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files
|
|
(e.g. /etc/letsencrypt/live/*/cert.pem).
|
|
|
|
env.warning and env.critical are configurable values for the warning and critical levels according to
|
|
http://guide.munin-monitoring.org/en/latest/tutorial/alert.html?highlight=warning#syntax-of-warning-and-critical
|
|
|
|
env.LOGARITHMIC "yes" enables the logarithmic display of values which is useful if some of your certs are relatively
|
|
long lived in respect to the warning level. e.g. a ca.crt that is valid for 10 years together with a crl.pem that is
|
|
valid for only a few months combined with warning levels of 5 days. default is "yes" to disable set it to "no".
|
|
|
|
=head1 Dependencies
|
|
|
|
Dependencies: openssl
|
|
|
|
=head1 AUTHOR
|
|
|
|
andreas perhab - andreas.perhab@wt-io-it.at (https://www.wt-io-it.at/)
|
|
|
|
=head1 LICENSE
|
|
|
|
GPLv2
|
|
|
|
=cut
|
|
|
|
. "$MUNIN_LIBDIR/plugins/plugin.sh"
|
|
|
|
LOGARITHMIC=${LOGARITHMIC:-yes}
|
|
|
|
if [ "$1" = "config" ] ; then
|
|
echo "graph_title Certificate validity"
|
|
if [ "$LOGARITHMIC" = "yes" ] ; then
|
|
graph_args="--logarithmic --units=si"
|
|
fi
|
|
echo "graph_args --base 1000 $graph_args"
|
|
echo "graph_vlabel days"
|
|
echo "graph_category security"
|
|
fi
|
|
|
|
now=$(date +%s)
|
|
for cert in ${CERTS}; do
|
|
cert_type=${cert%:*}
|
|
cert_pattern=${cert#*:}
|
|
for cert_file in $cert_pattern; do
|
|
cert_name=$(clean_fieldname "$cert_file")
|
|
if [ "$1" = "config" ] ; then
|
|
echo "${cert_name}.label ${cert_file}"
|
|
print_warning "$cert_name"
|
|
print_critical "$cert_name"
|
|
elif [ "$1" = "" ] ; then
|
|
validity=$(/usr/bin/openssl "$cert_type" -text -noout -in "$cert_file" | grep -E '(Next Update|Not After)')
|
|
validity=${validity#*:}
|
|
validity=$(date --date="$validity" +%s)
|
|
validity=$((validity - now))
|
|
validity=$(echo "$validity" | awk '{ print ($1 / 86400) }')
|
|
echo "${cert_name}.value $validity"
|
|
fi
|
|
done
|
|
done
|