mirror of
https://github.com/munin-monitoring/contrib.git
synced 2025-07-21 18:41:03 +00:00
d885a314ad
Scale values were "4e+01, 5e+01, ...". Using linear scale and "48, 50, 52, ..." is much more readable. Also use shorter vlabel, old one is too long.
84 lines
2.4 KiB
Bash
Executable file
84 lines
2.4 KiB
Bash
Executable file
#!/bin/sh
|
|
: << =cut
|
|
=head1 NAME
|
|
|
|
certificate_file_expiry - check the certificate validity of your certificates
|
|
|
|
= head1 CONFIGURATION
|
|
|
|
Installing: Add list of your certificates prefixed by the type in munin plugin-conf.d
|
|
|
|
For openvpn ca.crt and crl.pem
|
|
|
|
[certificate_file_expiry]
|
|
user root
|
|
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt
|
|
|
|
For letsencrypt certificates
|
|
|
|
[certificate_file_expiry]
|
|
user root
|
|
env.CERTS x509:/etc/letsencrypt/live/*/cert.pem
|
|
|
|
Warning and Critical levels can also be configured with env variables like this:
|
|
|
|
[certificate_file_expiry]
|
|
...
|
|
# warn when certificate will be invalid within 5 days
|
|
env.warning 5:
|
|
# critical when certificate will be invalid within 1 day
|
|
env.critical 1:
|
|
|
|
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All types of
|
|
certificates that openssl supports as standard commands and have a validity output are supported (e.g. x509, crl).
|
|
File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files
|
|
(e.g. /etc/letsencrypt/live/*/cert.pem).
|
|
|
|
env.warning and env.critical are configurable values for the warning and critical levels according to
|
|
http://munin-monitoring.org/wiki/fieldname.warning and http://munin-monitoring.org/wiki/fieldname.critical
|
|
|
|
=head1 Dependencies
|
|
|
|
Dependencies: openssl
|
|
|
|
=head1 AUTHOR
|
|
|
|
andreas perhab - andreas.perhab@wt-io-it.at (https://www.wt-io-it.at/)
|
|
|
|
=head1 LICENSE
|
|
|
|
GPLv2
|
|
|
|
=cut
|
|
|
|
. "$MUNIN_LIBDIR/plugins/plugin.sh"
|
|
|
|
if [ "$1" = "config" ] ; then
|
|
echo "graph_title Certificate validity"
|
|
echo "graph_args --base 1000"
|
|
echo "graph_vlabel days"
|
|
echo "graph_category security"
|
|
fi
|
|
|
|
now=$(date +%s)
|
|
warning=${warning:-5:}
|
|
critical=${critical:-1:}
|
|
for cert in ${CERTS}; do
|
|
cert_type=${cert%:*}
|
|
cert_pattern=${cert#*:}
|
|
for cert_file in $cert_pattern; do
|
|
cert_name=$(clean_fieldname "$cert_file")
|
|
if [ "$1" = "config" ] ; then
|
|
echo "${cert_name}.label ${cert_file}"
|
|
print_warning "$cert_name"
|
|
print_critical "$cert_name"
|
|
elif [ "$1" = "" ] ; then
|
|
validity=$(/usr/bin/openssl "$cert_type" -text -noout -in "$cert_file" | grep -E '(Next Update|Not After)')
|
|
validity=${validity#*:}
|
|
validity=$(date --date="$validity" +%s)
|
|
validity=$((validity - now))
|
|
validity=$(echo "$validity" | awk '{ print ($1 / 86400) }')
|
|
echo "${cert_name}.value $validity"
|
|
fi
|
|
done
|
|
done
|