search

matteocorti / nagios_plugins

18 stars 7 forks source link

check_ssl_cert #65

Closed matteocorti closed 9 years ago

matteocorti commented 9 years ago

Original reporter: anonymous

The check_ssl_cert plugin only has the ability to go critical when the certificate expires. In my opinion, it would be nice to have the ability to have the check_ssl_cert go into 'warn' mode also given a minimum number of days that a certificate has to be valid and also be able to configure the minimum number of days that the certificate has to be valid before it goes CRITICAL.

Other plugins use -w and -c for warn and critical values, respectively.

Perhaps, -d could be for the minimum number of days for warn and -D for the minimum number of days for critical.

from: case $opt in d ) DAYS=$OPTARG; ;;

to: case $opt in d ) WARN_DAYS=$OPTARG; ;;

    D )      CRIT_DAYS=$OPTARG;           ;;

and then alter the #check the date validity section (and may have to sanity check both the "d" and "D" options to ensure that d is not <= D.

-d can be set without -D and vice versa.

pseudo code follows

if ! echo $WARN_DAYS | grep -q [1-9][0-9]* ; then critical "invalid number of days for -d switch ($WARN_DAYS)" fi

if ! echo $CRIT_DAYS | grep -q [1-9][0-9]* ; then critical "invalid number of days for -D switch ($CRIT_DAYS)" fi

if ($WARN_DAYS has a value > 0 and $CRIT_DAYS has a value > 0) and ($WARN_DAYS <= $CRIT_DAYS) ; then critical "-d $WARN_DAYS is less than or equal to -D $CRIT_DAYS" fi

if ! $OPENSSL x509 -in ${CERT} -noout -checkend 0 ; then critical "certificate is expired (was valid until $DATE)" fi

if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( $CRIT_DAYS * 86400)) ; then critical "certificate will exire on $DATE" fi

if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( $DAYS * 86400 )) ; then warning "certificate will expire on $DATE" fi

matteocorti commented 9 years ago

Original reporter: matteo@corti.li

Hi,

I'll try to take a look at it as soon as possible.

A solution with long options would be better but I did not find yet a portable solution (bash getopt is not OK, GNU getopt is not always there ...)

In any case ignoring the problem of the option "name" I will implement the suggestion (critical and warning for the expiration time and critical only for the other checks as the issuer name)

Matteo

matteocorti commented 9 years ago

Original reporter: matteo@corti.li

Implemented in #1179 (Version 1.6.0)