[SGHLT]s weblog
computer science without borders
[SGHLT]s weblog

Nagios nrpe-plugin for checking apache2 ssl-certificates

in admin stuff

Share Tweet Share

A simple perl script for use as a nagios nrpe plugin for checking the validity of configured ssl certificates. No doubt, exceeded ssl-certificates are annoying. To avoid this, here is my nagios nrpe-plugin for checking these issues in all apache2-config files…

#!/usr/bin/perl
use strict;
use POSIX qw( mktime ctime );

my $warn_value = 30;
my $crit_value = 7;
my @config_paths = ('/etc/apache2/sites-enabled/', '/etc/apache2/conf.d/');
my @cert_files;

sub get_days_left () {

    my ($file) = @_;
    my %months = (
        'Jan' =>  0,
        'Feb' =>  1,
        'Mar' =>  2,
        'Apr' =>  3,
        'May' =>  4,
        'Jun' =>  5,
        'Jul' =>  6,
        'Aug' =>  7,
        'Sep' =>  8,
        'Oct' =>  9,
        'Nov' => 10,
        'Dec' => 11,
    );

    my $cert_exp_str = `openssl x509 -enddate -noout -in $file`;
    $cert_exp_str =~ s/\s*[a-zA-Z]{3}\s?$//;
    $cert_exp_str =~ s/^[a-zA-Z]+=\s?//;

    my ($month, $day, $hour, $minute, $second, $year) = split(/[\s:]+/, $cert_exp_str);
    my $days_left = (mktime($second, $minute, $hour, $day, $months{$month}, $year - 1900) - time()) /60 /60 /24;
    $days_left =~ s/\.[0-9]*//;

    return $days_left;
}

my $config_path;

foreach $config_path (@config_paths) {

    if ( -d $config_path) {
        opendir(CONFIG_PATH, $config_path) or print "ERROR: $!\n" and exit 3;
        my @config_files = readdir(CONFIG_PATH);
        closedir(CONFIG_PATH);
        my $config_file;

        foreach $config_file (@config_files) {
            open(CONFIG_FILE, ') {

                if (/^\s*SSLCertificateFile\s+\S+$/) {
                    my $cert_file = $_;
                    $cert_file =~ s/^\s*SSLCertificateFile\s+(\S+)$/\1/;
                    push @cert_files, $cert_file; 
                }
            }
            close(CONFIG_FILE);
        }
    }
}

my $min_exp;
my $days_left;
my $file;
my $num_certs = 0;
my $cert_file;
my $bad_cert;

foreach $cert_file (@cert_files) {

    $days_left = &get_days_left($cert_file);

    if ($num_certs == 0 or $min_exp > $days_left) {
        $min_exp = $days_left;
        $bad_cert = $cert_file;
    }
    $num_certs++;
}

$bad_cert =~ s/^\S*\/(\S+)\n$/\1/;

if ($num_certs  $warn_value) {
        print "OK - " . $min_exp . " days left\n";
        exit 0;
    }
    elsif ($min_exp > $crit_value) {
        print "WARNING - " . $min_exp . " days left ( " . $bad_cert . " )\n";
        exit 1;
    }
    else{
        print "CRITICAL - " . $min_exp . " days left ( " . $bad_cert . " )\n";
        exit 2;
    }
}

Receive Updates

ATOM

Contacts