From fc55f1aa710528a0620a3d474f7e609ef56dc24d Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Wed, 7 Mar 2012 15:25:44 +0100 Subject: [PATCH] Add dsa-check-crl-expire --- dsa-nagios-checks/checks/dsa-check-crl-expire | 76 +++++++++++++++++++ dsa-nagios-checks/debian/changelog | 3 +- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100755 dsa-nagios-checks/checks/dsa-check-crl-expire diff --git a/dsa-nagios-checks/checks/dsa-check-crl-expire b/dsa-nagios-checks/checks/dsa-check-crl-expire new file mode 100755 index 0000000..d6e0ac5 --- /dev/null +++ b/dsa-nagios-checks/checks/dsa-check-crl-expire @@ -0,0 +1,76 @@ +#!/bin/bash + +# Checks if a given cert on disk will expire soon + +# Copyright 2009, 2012 Peter Palfrader +# +# Permission is hereby granted, free of charge, to any person obtaining +# a copy of this software and associated documentation files (the +# "Software"), to deal in the Software without restriction, including +# without limitation the rights to use, copy, modify, merge, publish, +# distribute, sublicense, and/or sell copies of the Software, and to +# permit persons to whom the Software is furnished to do so, subject to +# the following conditions: +# +# The above copyright notice and this permission notice shall be +# included in all copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND +# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE +# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION +# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION +# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +set -u +set -e + +# warn if expires within 2 weeks, critical if within a day or already is expired +warn=1209600 +crit=86400 + +while [ "$#" -ge 2 ]; do + case "$1" in + -c) + shift + crit="$1" + ;; + -w) + shift + warn="$1" + ;; + *) + break + ;; + esac + shift +done + +if [ "$#" != 1 ]; then + echo "Usage: $0 [-w ] [-c ] " >&2 + exit 3 +fi + +crl="$1" + +if ! [ -r "$crl" ] ; then + echo "CRL file ($crl) does not exist or is not readable" >&2 + exit 3 +fi + +expires="$(openssl crl -nextupdate -noout < "$crl" | cut -d = -f 2)" +expsec="$(date -d "$expires" +%s)" +now="$(date +%s)" +delta="$(( $expsec - $now ))" + +if [ "$delta" -gt "$warn" ] ; then + echo "OK: next update expected $expires" + exit 0 +fi +if [ "$delta" -gt "$crit" ] ; then + echo "WARN: next update expected $expires" + exit 1 +fi +echo "CRITICAL: next update expected $expires" +exit 2 diff --git a/dsa-nagios-checks/debian/changelog b/dsa-nagios-checks/debian/changelog index 979d6a2..e061f36 100644 --- a/dsa-nagios-checks/debian/changelog +++ b/dsa-nagios-checks/debian/changelog @@ -7,8 +7,9 @@ dsa-nagios-checks (9X) Xnstable; urgency=low [ Peter Palfrader ] * dsa-check-msa-eventlog: Add --verbose switch to show info level event log entries. + * add dsa-check-crl-expire. - -- Peter Palfrader Wed, 29 Feb 2012 15:49:53 +0100 + -- Peter Palfrader Wed, 07 Mar 2012 15:25:29 +0100 dsa-nagios-checks (92.1) unstable; urgency=low -- 2.20.1