--- /dev/null
+#!/usr/bin/perl -w
+#
+# check_ssl_certificate
+# Nagios script to check ssl certificate expirations
+#
+# Copyright (c) 2006-2008 David Alden <alden@math.ohio-state.edu>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+#
+#
+# Changes:
+# 10/30/2008 dja <alden@math.ohio-state.edu>
+# - fixed a bug which caused it to not deal with certs that expire
+# on a single digit day (thanks to Christian Sava, Kyle Smith &
+# Raphael Berlamont)
+#
+# 10/09/2007 dja <alden@math.ohio-state.edu>
+# - fixed a bug which caused it to improperly report expired certs
+# (thanks to Hassan Alusesi for pointing this out)
+# - no longer use temporary files or Date::Manip
+# (thanks to tommybobbins on NagiosExchange)
+# - added the printing of the Common Name (CN) if verbose is specified
+# (thanks to mp72 on NagiosExchange)
+#
+#
+# Description:
+# This script will check if an SSL certificate is going to expire. For
+# example, to check the IMAP certificate on an imaps port:
+#
+# check_ssl_certificate -H 1.1.1.1 -p 993
+#
+#
+# Installation:
+# Edit this script, replacing the line:
+# use lib "/usr/lib/nagios/plugins";
+# with the path to your nagios plugins directory (where utils.pm is
+# located). Also edit the line:
+# my $openssl = "/usr/bin/openssl";
+# with the path to your openssl binary. Then copy the script into
+# your nagios plugins directory.
+#
+#
+use strict;
+use Time::Local;
+use Getopt::Long;
+use lib "/usr/lib64/nagios/plugins";
+use utils qw(%ERRORS &print_revision &support &usage);
+
+my $PROGNAME="check_ssl_certificates";
+my $REVISION="1.2";
+
+#
+$ENV{PATH}="/usr/sbin:/usr/bin:/bin";
+
+#
+my $openssl = "/usr/bin/openssl";
+
+my $critical = 7;
+my $help;
+my $host;
+my $port = 443;
+my $additional = '';
+my $verbose;
+my $version;
+my $warning = 30;
+
+#
+my %months = ('Jan' => 0, 'Feb' => 1, 'Mar' => 2, 'Apr' => 3, 'May' => 4,
+ 'Jun' => 5, 'Jul' => 6, 'Aug' => 7, 'Sep' => 8, 'Oct' => 9,
+ 'Nov' => 10, 'Dec' => 11);
+
+#
+Getopt::Long::Configure('bundling');
+if (GetOptions(
+ "a=s" => \$additional,
+ "c:s" => \$critical,
+ "h" => \$help,
+ "H:s" => \$host,
+ "o=s" => \$openssl,
+ "p=i" => \$port,
+ "v" => \$verbose,
+ "V" => \$version,
+ "w:s" => \$warning,
+ ) == 0) {
+
+ print_usage();
+ exit $ERRORS{'UNKNOWN'}
+}
+
+if ($version) {
+ print_revision($PROGNAME, "\$Revision: $REVISION \$");
+ exit $ERRORS{'OK'};
+}
+
+if ($help) {
+ print_help();
+ exit $ERRORS{'OK'};
+}
+
+if (! utils::is_hostname($host)) {
+ usage("");
+ exit $ERRORS{'UNKNOWN'};
+}
+
+open(OPENSSL, "$openssl s_client -connect $host:$port $additional < /dev/null 2>&1 | $openssl x509 -enddate -noout |") ||
+ die "unable to open $openssl: $!";
+
+my $date;
+while (<OPENSSL>) {
+ if ($_ =~ /^notAfter=(.*)/) {
+ $date = $1;
+ chomp($date);
+# last;
+ }
+}
+close(OPENSSL);
+
+$date =~ s/ +/ /g;
+
+my ($month, $day, $hour, $min, $sec, $year, $tz) = split(/[\s+|:]/, $date);
+print "m=$month, d=$day, h=$hour, m=$min, s=$sec, y=$year, z=$tz\n";
+
+my $daysLeft = int((timegm($sec, $min, $hour, $day, $months{$month}, $year - 1900) - time()) / 86400);
+
+my $cn="this certificate";
+if ($verbose) {
+
+ open(OPENSSL, "$openssl s_client -connect $host:$port $additional < /dev/null 2>&1 |") ||
+ die "unable to open $openssl: $!";
+
+ while (<OPENSSL>) {
+ next unless $_ =~ /Certificate chain/;
+
+ while (<OPENSSL>) {
+ next unless $_ =~ /CN=(.*)/;
+ ($cn) = split(/\//, $1);
+ $cn .= "[$host]" if ($cn ne $host);
+ last;
+ }
+ }
+}
+
+if ($daysLeft < 0) {
+ print "$PROGNAME: CRITICAL - $cn expired " . abs($daysLeft) . " day(s) ago.\n";
+} elsif ($daysLeft <= $critical) {
+ print "$PROGNAME: CRITICAL - only $daysLeft day(s) left for $cn.\n";
+ exit $ERRORS{'CRITICAL'};
+} elsif ($daysLeft <= $warning) {
+ print "$PROGNAME: WARNING - only $daysLeft day(s) left for $cn.\n";
+ exit $ERRORS{'WARNING'};
+} elsif ($verbose) {
+ print "$PROGNAME: $daysLeft day(s) left for $cn.\n";
+}
+
+exit $ERRORS{'OK'};
+
+sub print_help {
+ print_revision($PROGNAME, "\$Revision: $REVISION \$");
+ print "Copyright (c) 2006 David Alden
+
+Check if an SSL certificate is close to expiring
+
+";
+
+ print_usage();
+
+ print "
+-a <add> add the text to the openssl line, used for checking the smtp ssl
+ certificate with starttls (\"-a '-starttls smtp'\")
+-c <num> exit with CRITICAL status if number of days left is less than <num>
+-h show this help script
+-H <host> check the certificate on the indicated host
+-o <path> path to openssl binary
+-p <port> check the certificate on the specified port
+-w <num> exit with WARNING status if number of days left is less than <num>
+-v show the number of days left
+-V show version and license information
+";
+
+ support();
+}
+
+
+sub print_usage {
+ print "Usage: $PROGNAME -H <host> [-p <port>] [-c <low>:<high>] [-w <low>:<high>]\n";
+ return();
+}
projects / infodrom / icinga-plugins / commitdiff