#!/usr/bin/env python3
import subprocess
import sys
from datetime import datetime

def get_expiry(cert_path):
    try:
        out = subprocess.check_output(
            ['openssl', 'x509', '-enddate', '-noout', '-in', cert_path],
            stderr=subprocess.DEVNULL
        ).decode().strip()
        date_str = out.split('=', 1)[1]
        return datetime.strptime(date_str, "%b %d %H:%M:%S %Y %Z")
    except Exception:
        return None

def check_cert(name, path, warn_days=30, crit_days=15):
    expiry = get_expiry(path)
    if expiry is None:
        print(f"2 UCS_CERT_{name} - CRITICAL - Zertifikat {path} nicht lesbar")
        return 2
    days_left = (expiry - datetime.utcnow()).days
    if days_left < 0:
        print(f"2 UCS_CERT_{name} - CRITICAL - Zertifikat ist abgelaufen am {expiry}")
        return 2
    elif days_left <= crit_days:
        print(f"2 UCS_CERT_{name} - CRITICAL - Läuft in {days_left} Tagen ab ({expiry})")
        return 2
    elif days_left <= warn_days:
        print(f"1 UCS_CERT_{name} - WARNING - Läuft in {days_left} Tagen ab ({expiry})")
        return 1
    else:
        print(f"0 UCS_CERT_{name} - OK - Gültig für {days_left} Tage (bis {expiry})")
        return 0

def main():
    def ucr_get(var):
        try:
            return subprocess.check_output(['ucr', 'get', var], text=True).strip()
        except subprocess.CalledProcessError:
            return None

    certs = {
        'Apache': ucr_get('apache2/ssl/certificate'),
        'Dovecot': ucr_get('mail/dovecot/ssl/certificate'),
        'Dostfix': ucr_get('mail/postfix/ssl/certificate'),
    }

    exit_codes = []
    for name, path in certs.items():
        if path:
            ret = check_cert(name, path)
            exit_codes.append(ret)
        else:
            print(f"1 cert_{name} - WARNING - Kein Zertifikatspfad gesetzt")
            exit_codes.append(1)

    sys.exit(max(exit_codes) if exit_codes else 3)

if __name__ == "__main__":
    main()