#!/bin/bash
# Checkmk Local Check: Alle NPM-SSL-Zertifikate prüfen mit Domainnamen
# Speicherort: /usr/lib/check_mk_agent/local/npm_cert_check.sh

CERT_BASE="/etc/letsencrypt/live"
WARN_DAYS=30
CRIT_DAYS=10

check_cert() {
    local cert_file="$1"

    # CN (Common Name) auslesen
    CN=$(openssl x509 -noout -subject -in "$cert_file" 2>/dev/null | sed -n 's/^subject=.*CN=//p')
    if [ -z "$CN" ]; then
        CN=$(basename "$(dirname "$cert_file")") # Fallback: Ordnername
    fi

    # Ablaufdatum auslesen
    EXPIRY_DATE=$(openssl x509 -enddate -noout -in "$cert_file" 2>/dev/null | cut -d= -f2)
    if [ -z "$EXPIRY_DATE" ]; then
        echo "2 cert_${CN} - Fehler beim Lesen des Zertifikats"
        return
    fi

    EXPIRY_TS=$(date -d "$EXPIRY_DATE" +%s)
    NOW_TS=$(date +%s)
    DAYS_LEFT=$(( (EXPIRY_TS - NOW_TS) / 86400 ))

    # Status setzen
    if [ $DAYS_LEFT -lt 0 ]; then
        STATUS=2
    elif [ $DAYS_LEFT -le $CRIT_DAYS ]; then
        STATUS=2
    elif [ $DAYS_LEFT -le $WARN_DAYS ]; then
        STATUS=1
    else
        STATUS=0
    fi

    # SAN-Einträge (Alternative Namen) auslesen
    SAN=$(openssl x509 -noout -text -in "$cert_file" 2>/dev/null | grep -A1 "Subject Alternative Name" | tail -n1 | sed 's/DNS://g; s/,//g')

    echo "$STATUS cert_${CN} days_left=$DAYS_LEFT;${WARN_DAYS};${CRIT_DAYS};0; Zertifikat '$CN' läuft in $DAYS_LEFT Tagen ab (SAN: $SAN)"
}

# Alle Zertifikate unter /etc/letsencrypt/live/npm-* prüfen
if [ -d "$CERT_BASE" ]; then
    find "$CERT_BASE" -mindepth 1 -maxdepth 1 -type d -name "npm-*" | while read -r dir; do
        cert_file="$dir/fullchain.pem"
        if [ -f "$cert_file" ]; then
            check_cert "$cert_file"
        fi
    done
else
    echo "2 cert_check - Zertifikatspfad $CERT_BASE nicht gefunden"
fi