forked from jedda/OSX-Monitoring-Tools
-
Notifications
You must be signed in to change notification settings - Fork 0
/
check_ssl_certificate_expiry_gnu.sh
117 lines (91 loc) · 3.07 KB
/
check_ssl_certificate_expiry_gnu.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
#!/bin/bash
# Check SSL Certificate Expiry [GNU]
# by Dan Barrett
# http://yesdevnull.net
# v1.0 - 19 December 2013
# Initial release.
# Checks the specified certificate and warns you if the certificate is going
# to expire soon, or if it has already expired, or if it isn't valid yet.
# Supports Ubuntu GNU Linux (other GNU distros should be fine too)
# Arguments:
# -h Host address
# -p Port of SSL service
# -e Expiry in days
# Example:
# ./check_ssl_certificate.expiry -h apple.com -p 443 -e 7
# Set up our blank variables
host=""
port=""
expiryInDays=""
while getopts "h:p:e:" opt
do
case $opt in
h ) host=$OPTARG;;
p ) port=$OPTARG;;
e ) expiryInDays=$OPTARG;;
esac
done
if [ ! "$host" ]
then
printf "ERROR - Please ensure you have entered a hostname with -h!\n"
exit 3
fi
if [ ! "$port" ]
then
printf "ERROR - Please add a port with -p\n"
exit 3
fi
if [ ! "$expiryInDays" ]
then
printf "ERROR - Please add an expiry in days with -e\n"
exit 3
fi
currentDateInEpoch=`date +%s`
expiryDays=$(( $expiryInDays * 86400 ))
# Quick function to tidy up output results in days
numberOfDays() {
dayDiff=`printf "%.0f" $( echo "scale=0; $1 / 60 / 60 / 24" | bc -l )`
dayDiff=`echo $dayDiff | sed 's/-//g'`
dayName="days"
if [ "$dayDiff" -eq "1" ]
then
dayName="day"
fi
echo "$dayDiff $dayName"
}
beforeExpiry=`echo "QUIT" | openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -noout -startdate 2>/dev/null`
afterExpiry=`echo "QUIT" | openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null`
commonName=`echo "QUIT" | openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -subject -noout 2>/dev/null | sed -E 's/.+CN=([^/]*)?/\1/'`
# If the stdout of the date results is null, throw a critical(2)
if [ -z "$beforeExpiry" ] || [ -z "$afterExpiry" ]
then
printf "CRITICAL - Unable to read certificate for $host.\n"
exit 2
fi
notBefore=`echo $beforeExpiry | grep -C 0 "notBefore" | grep -E -o "[A-Za-z]{3,4} [0-9]{1,2} [0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{3,4} [A-Z]{2,3}"`
notBeforeExpiry=`date --date="$notBefore" +%s`
diff=$(( $currentDateInEpoch - $notBeforeExpiry ))
# Is certificate not valid until the future? If so, throw a critical(2)
if [ "$diff" -lt "0" ]
then
printf "CRITICAL - Certificate $commonName is not valid for $( numberOfDays $diff )!\n"
exit 2
fi
notAfter=`echo $afterExpiry | grep -C 0 "notAfter" | grep -E -o "[A-Za-z]{3,4} [0-9]{1,2} [0-9]{2}:[0-9]{2}:[0-9]{2} [0-9]{3,4} [A-Z]{2,3}"`
notAfterExpiry=`date --date="$notAfter" +%s`
diff=$(( $notAfterExpiry - $currentDateInEpoch ))
# If the differential is less than 0, the certificate has already expired, throw a critical(2)
if [ "$diff" -lt "0" ]
then
printf "CRITICAL - Certificate $commonName expired $( numberOfDays $diff ) ago!\n"
exit 2
fi
# If the differential is less than the expiry days, throw a warning(1)
if [ "$diff" -lt "$expiryDays" ]
then
printf "WARNING - Certificate $commonName will expire in less than $( numberOfDays $diff ).\n"
exit 1
fi
# All OK(0)
printf "OK - Certificate $commonName expires in $( numberOfDays $diff ).\n"
exit 0