check_ssl_cert.sh - Issue 29792596: #3298 - SSL monitoring script for icinga

Delta Between Two Patch Sets: check_ssl_cert.sh

Issue 29792596: #3298 - SSL monitoring script for icinga (Closed)

Left Patch Set: #3298 - SSL monitoring script for icinga Created May 29, 2018, 1:30 p.m.

Right Patch Set: #3298 - SSL monitoring script for icinga Created July 4, 2018, 2:33 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 #!/bin/sh	1 #!/bin/sh

2	2

3 # Icinga plugin that checks how many days are left until SSL certificate expires	3 # Icinga plugin that checks how many days are left

4 # Usage: <PluginDir>/check_ssl_cert -H <HOSTNAME> -P <PORT> -c <CRITICAL> -w <WA RNING>	4 # until SSL certificate expires.

	5 # Usage:

	6 # $PLUGIN_DIR/check_ssl_cert.sh -H $HOST -P $PORT -c $CRITICAL -w $WARNING

5	7

6 PATH="/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"	8 get_ssl_expiry_date() {

7 export PATH	9 openssl s_client -connect "$1:$2" </dev/null 2>/dev/null \

8 PROGNAME=`basename $0`	10 \| openssl x509 -noout -enddate 2>/dev/null
mathias 2018/05/30 08:12:00 What if $0 contains white-space characters? What if $0 contains white-space characters?
9 PROGPATH=`echo $0 \| sed -e 's,[\\/][^\\/][^\\/]*$,,'`	11 }
mathias 2018/05/30 08:12:00 Isn't there a regular POSIX or Linux command for t Isn't there a regular POSIX or Linux command for that? It should not require a regular expression in the script just to get the directory name.
10

11 #. $PROGPATH/utils.sh
mathias 2018/05/30 08:12:00 Please avoid "commented-out" lines that do no serv Please avoid "commented-out" lines that do no serve a purpose, e.g. in documentation.
12	12

13 CURRENT_DATE=`date +%y%m%d`	13 CURRENT_DATE=`date +%y%m%d`

14 HOST=$2	14 HOST="$2"

15 PORT=$4	15 PORT="$4"

16 CRITICAL=$6	16 CRITICAL="$6"

17 WARNING=$8	17 WARNING="$8"
mathias 2018/05/30 08:12:00 What if any of $2, $4, $6, $8 contain white-space What if any of $2, $4, $6, $8 contain white-space characters?
	18 STATE_OK=0

	19 STATE_WARNING=1

	20 STATE_CRITICAL=2

	21 STATE_UNKNOWN=3

	22 OUTPUT=`get_ssl_expiry_date "$HOST" "$PORT"`

18	23

19 DAY=`echo \| openssl s_client -connect "$HOST":$PORT 2>/dev/null \| openssl x509 - noout -enddate 2>/dev/null \| awk '{print $2}'`	24 if [ -z "$OUTPUT" ]
mathias 2018/05/30 08:12:00 There should be a better way to send non-input to There should be a better way to send non-input to the `openssl` command other than pipe-lining an `echo`. You could use input redirection from /dev/null, for example. See https://www.tutorialspoint.com/unix/unix-io-redirections.htm for an introduction.
20

21 if [ ! $DAY ]
mathias 2018/05/30 08:11:59 Since you `-connect` to `$HOST:$PORT` multiple tim Since you `-connect` to `$HOST:$PORT` multiple times during the script, why do you have error handling logic only for the first attempt?
22 then	25 then

23 echo "UNKNOWN - Could not connect to $HOST via port $PORT"	26 echo "UNKNOWN - Could not connect to $HOST via port $PORT"

24 exit $STATE_UNKNOWN	27 exit "$STATE_UNKNOWN"

25 fi	28 fi

26	29

27 MONTH=`echo \| openssl s_client -connect "$HOST":$PORT 2>/dev/null \| openssl x509 -noout -enddate \| awk '{print $1}' \| cut -c 10-`	30 DAY=`echo "$OUTPUT" \| awk '{printf "02d", $2}'`

28 YEAR=`echo \| openssl s_client -connect "$HOST":$PORT 2>/dev/null \| openssl x509 -noout -enddate \| awk '{print $4}'`	31 MONTH=`echo "$OUTPUT" \| awk '{print $1}' \| cut -c 10-`

	32 YEAR=`echo "$OUTPUT" \| awk '{print $4}'`

29	33

30 case $MONTH in	34 case "$MONTH" in

31	35

32 "Jan")	36 "Jan")

33 MONTH="01"	37 MONTH="01"

34 ;;	38 ;;

35 "Feb")	39 "Feb")

36 MONTH="02"	40 MONTH="02"

37 ;;	41 ;;

38 "Mar")	42 "Mar")

39 MONTH="03"	43 MONTH="03"

40 ;;	44 ;;

(...skipping 23 matching lines...) Expand all Loading...
64 ;;	68 ;;

65 "Dec")	69 "Dec")

66 MONTH="12"	70 MONTH="12"

67 ;;	71 ;;

68 "*")	72 "*")

69 echo "An error occured"	73 echo "An error occured"

70 exit 1	74 exit 1

71 ;;	75 ;;

72 esac	76 esac

73	77

74 EXPIRY_DATE_IN_SEC=`date -d $YEAR$MONTH$DAY +%s`	78 EXPIRY_DATE_IN_SEC=`date -d "${YEAR}${MONTH}${DAY}" +%s`

75 CURRENT_DATE_IN_SEC=`date -d $CURRENT_DATE +%s`	79 CURRENT_DATE_IN_SEC=`date -d "$CURRENT_DATE" +%s`

76 DIFF=`expr $EXPIRY_DATE_IN_SEC - $CURRENT_DATE_IN_SEC`	80 DIFFERENCE=`expr $ "$EXPIRY_DATE_IN_SEC" - "$CURRENT_DATE_IN_SEC" $ / 86400`

77 DIFF=`expr $DIFF / 86400`

78	81

79 if [ $DIFF -le $CRITICAL ]	82 if [ "$DIFFERENCE" -le "$CRITICAL" ]

80 then	83 then

81 echo "CRITICAL - $HOST: SSL certificate has been expired!"	84 echo "CRITICAL - $HOST: SSL certificate has been expired!"

82 exit $STATE_CRITICAL	85 exit "$STATE_CRITICAL"
mathias 2018/05/30 08:11:59 Where are the $STATE_{CRITICAL,WARNING,OK,UNKNOWN} Where are the $STATE_{CRITICAL,WARNING,OK,UNKNOWN} variables defined?
83 elif [ $DIFF -le $WARNING ] && [ $DIFF -gt $CRITICAL ]	86 elif [ "$DIFFERENCE" -le "$WARNING" ]
mathias 2018/05/30 08:12:00 You already know at this point that $DIFF is great You already know at this point that $DIFF is greater than $CRITICAL because you already determined above that $DIFF is not less than or equal $CRITICAL.
84 then	87 then

85 echo "WARNING - $HOST: SSL certificate will be expired in $DIFF days!"	88 echo "WARNING - $HOST: SSL certificate will be expired in $DIFFERENCE days!"

86 exit $STATE_WARNING	89 exit "$STATE_WARNING"

87 elif [ $DIFF -gt $WARNING ]	90 elif [ "$DIFFERENCE" -gt "$WARNING" ]

88 then	91 then

89 echo "OK - $HOST: SSL certificate will be expired in $DIFF days"	92 echo "OK - $HOST: SSL certificate will be expired in $DIFFERENCE days"

90 exit $STATE_OK	93 exit "$STATE_OK"

91 else	94 else

92 echo "UNKNOWN - $HOST: Could not retrieve data"	95 echo "UNKNOWN - $HOST: Could not retrieve data"

93 exit $STATE_UNKNOWN	96 exit "$STATE_UNKNOWN"

94 fi	97 fi

LEFT	RIGHT