From 9b1c2c9446ee6ca3c1e151b0b72ea779f9ac7da0 Mon Sep 17 00:00:00 2001
From: patrick <patrick@perlbach24.de>
Date: Sun, 3 Aug 2025 16:48:54 +0200
Subject: [PATCH] =?UTF-8?q?cert=5Fcheck.py=20hinzugef=C3=BCgt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cert_check.py | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 cert_check.py

diff --git a/cert_check.py b/cert_check.py
new file mode 100644
index 0000000..bc79622
--- /dev/null
+++ b/cert_check.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python3
+import subprocess
+import sys
+from datetime import datetime
+
+def get_expiry(cert_path):
+    try:
+        out = subprocess.check_output(
+            ['openssl', 'x509', '-enddate', '-noout', '-in', cert_path],
+            stderr=subprocess.DEVNULL
+        ).decode().strip()
+        date_str = out.split('=', 1)[1]
+        return datetime.strptime(date_str, "%b %d %H:%M:%S %Y %Z")
+    except Exception:
+        return None
+
+def check_cert(name, path, warn_days=30, crit_days=15):
+    expiry = get_expiry(path)
+    if expiry is None:
+        print(f"2 UCS_CERT_{name} - CRITICAL - Zertifikat {path} nicht lesbar")
+        return 2
+    days_left = (expiry - datetime.utcnow()).days
+    if days_left < 0:
+        print(f"2 UCS_CERT_{name} - CRITICAL - Zertifikat ist abgelaufen am {expiry}")
+        return 2
+    elif days_left <= crit_days:
+        print(f"2 UCS_CERT_{name} - CRITICAL - Läuft in {days_left} Tagen ab ({expiry})")
+        return 2
+    elif days_left <= warn_days:
+        print(f"1 UCS_CERT_{name} - WARNING - Läuft in {days_left} Tagen ab ({expiry})")
+        return 1
+    else:
+        print(f"0 UCS_CERT_{name} - OK - Gültig für {days_left} Tage (bis {expiry})")
+        return 0
+
+def main():
+    def ucr_get(var):
+        try:
+            return subprocess.check_output(['ucr', 'get', var], text=True).strip()
+        except subprocess.CalledProcessError:
+            return None
+
+    certs = {
+        'Apache': ucr_get('apache2/ssl/certificate'),
+        'Dovecot': ucr_get('mail/dovecot/ssl/certificate'),
+        'Dostfix': ucr_get('mail/postfix/ssl/certificate'),
+    }
+
+    exit_codes = []
+    for name, path in certs.items():
+        if path:
+            ret = check_cert(name, path)
+            exit_codes.append(ret)
+        else:
+            print(f"1 cert_{name} - WARNING - Kein Zertifikatspfad gesetzt")
+            exit_codes.append(1)
+
+    sys.exit(max(exit_codes) if exit_codes else 3)
+
+if __name__ == "__main__":
+    main()