-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathcert_expire
executable file
·66 lines (55 loc) · 2.81 KB
/
cert_expire
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/env ksh93
# Thomas Merkel <tm@core.io>
# This script provides the option to check all installed certificates on an operating system
# with munin. It's build to run on SmartOS zones and somehow also build for Let's Encrypt.
# PATH to have gnutools installed
PATH=/opt/local/bin:${PATH}
# Default location to look for certificates (*.pem, *.crt)
crt_locations=${crt_locations-'/opt/local/etc'}
# Ignore some system CAs and special files which are no certificate files
crt_ignores="mozilla-rootcert-.* privkey.* .*-certbot.pem fullchain.pem chain.pem dh.pem ca-certificates.crt"
# Ignore Let's Encrypt archive folder because we only check live files
crt_locations_ignores="/opt/local/etc/letsencrypt/archive"
# Now
today_unixtime=$(printf "%(%s)T")
# Munin config output
if [[ "${1}" == "config" ]]; then
echo 'graph_title TLS certificate Expire'
echo 'graph_category security'
echo 'graph_vlabel days left'
echo 'graph_info This graph show the days left for the certificates installed on the system'
echo 'graph_period hour'
echo 'update_rate 43200'
fi
# Lookup
for location in ${crt_locations}; do
[ ! -d "${location}" ] && continue
crts=$(find -L ${location} -type f -iname "*.pem" -o -iname "*.crt")
# Loop through all *.pem and *.crt files
for crt in ${crts}; do
# Ignore certs and ignore locations
for crt_ignore in ${crt_ignores}; do
[[ $(basename ${crt}) =~ ${crt_ignore} ]] && continue 2
done
for crt_locations_ignore in ${crt_locations_ignores}; do
[[ $(dirname ${crt}) =~ ${crt_locations_ignore} ]] && continue 2
done
# OpenSSL receive information from certificate file
x509=$(openssl x509 -in ${crt} -noout -nameopt RFC2253 -subject -enddate -hash)
# Parse certificate to receive CommonName
x509_subject=$(echo ${x509} | gsed 's/.*CN=\([^\ |,]*\).*/\1/')
# Receive expire unixtime
expire_unixtime=$(printf "%(%s)T" "$(echo ${x509} | gsed -n 's/.*notAfter=\([^,]*\)\ .*/\1/p')")
# Require minimal hash for munin output for all values
x509_hash=$(echo ${x509} | awk -F' ' '{ print $NF }')
# Additional config output for Munin
if [[ "${1}" == "config" ]]; then
echo "${x509_hash}.label ${x509_subject}"
echo "${x509_hash}.info ${crt}"
echo "${x509_hash}.critical 7:"
echo "${x509_hash}.warning 10:"
fi
# Munin value output with expire in days
echo ${x509_hash}.value $(( (expire_unixtime - today_unixtime) / 86400 ))
done
done