85 lines
2.9 KiB
Bash
85 lines
2.9 KiB
Bash
#!/bin/bash
|
|
# Checkmk Local Check: Alle SSL-Zertifikate prüfen mit Domainnamen
|
|
# Speicherort: /usr/lib/check_mk_agent/local/npm_cert_check.sh
|
|
|
|
BASE_DIRS=(
|
|
"/etc/letsencrypt/live"
|
|
"/data/custom_ssl"
|
|
)
|
|
|
|
WARN_DAYS=14
|
|
CRIT_DAYS=5
|
|
|
|
check_cert() {
|
|
local cert_file="$1"
|
|
|
|
# CN (Common Name) auslesen
|
|
CN=$(openssl x509 -noout -subject -in "$cert_file" 2>/dev/null | sed -n 's/^subject=.*CN=//p')
|
|
if [ -z "$CN" ]; then
|
|
CN=$(basename "$(dirname "$cert_file")") # Fallback: Ordnername
|
|
fi
|
|
|
|
# Ablaufdatum auslesen
|
|
EXPIRY_DATE=$(openssl x509 -enddate -noout -in "$cert_file" 2>/dev/null | cut -d= -f2)
|
|
if [ -z "$EXPIRY_DATE" ]; then
|
|
echo "2 cert_${CN} - Fehler beim Lesen des Zertifikats"
|
|
return
|
|
fi
|
|
|
|
EXPIRY_TS=$(date -d "$EXPIRY_DATE" +%s)
|
|
NOW_TS=$(date +%s)
|
|
DAYS_LEFT=$(( (EXPIRY_TS - NOW_TS) / 86400 ))
|
|
|
|
# Status setzen
|
|
if [ $DAYS_LEFT -lt 0 ]; then
|
|
STATUS=2
|
|
elif [ $DAYS_LEFT -le $CRIT_DAYS ]; then
|
|
STATUS=2
|
|
elif [ $DAYS_LEFT -le $WARN_DAYS ]; then
|
|
STATUS=1
|
|
else
|
|
STATUS=0
|
|
fi
|
|
|
|
# SAN-Einträge auslesen
|
|
SAN=$(openssl x509 -noout -text -in "$cert_file" 2>/dev/null \
|
|
| grep -A1 "Subject Alternative Name" | tail -n1 \
|
|
| sed 's/DNS://g; s/,//g')
|
|
|
|
echo "$STATUS cert_${CN} days_left=$DAYS_LEFT;${WARN_DAYS};${CRIT_DAYS};0; Zertifikat '$CN' läuft in $DAYS_LEFT Tagen ab (SAN: $SAN)"
|
|
}
|
|
|
|
# Zertifikate in allen Base Directories prüfen
|
|
for CERT_BASE in "${BASE_DIRS[@]}"; do
|
|
LABEL=$(basename "$CERT_BASE" | tr '/ ' '_')
|
|
|
|
if [ -d "$CERT_BASE" ]; then
|
|
FOUND_CERT=0
|
|
|
|
# falls du wieder nur bestimmte Ordner willst, z.B. npm-*:
|
|
# find "$CERT_BASE" -mindepth 1 -maxdepth 1 -type d -name "npm-*"
|
|
find "$CERT_BASE" -mindepth 1 -maxdepth 1 -type d | while read -r dir; do
|
|
cert_file="$dir/fullchain.pem"
|
|
if [ -f "$cert_file" ]; then
|
|
FOUND_CERT=1
|
|
check_cert "$cert_file"
|
|
fi
|
|
done
|
|
|
|
# WICHTIG: FOUND_CERT aus der while-Schleife korrekt benutzen
|
|
# -> deshalb die Auswertung mit Subshelleinsatz umgehen:
|
|
if ! find "$CERT_BASE" -mindepth 1 -maxdepth 1 -type d -print -quit | grep -q .; then
|
|
# gar keine Unterverzeichnisse
|
|
echo "0 cert_info_${LABEL} - Keine Zertifikatsverzeichnisse in ${CERT_BASE} gefunden"
|
|
else
|
|
# es gibt Unterverzeichnisse, aber evtl. keine fullchain.pem
|
|
ANY_CERT=$(find "$CERT_BASE" -mindepth 2 -maxdepth 2 -type f -name "fullchain.pem" -print -quit)
|
|
if [ -z "$ANY_CERT" ]; then
|
|
echo "0 cert_info_${LABEL} - Keine Zertifikate (fullchain.pem) in ${CERT_BASE} gefunden"
|
|
fi
|
|
fi
|
|
else
|
|
# Verzeichnis existiert nicht -> OK mit Info
|
|
echo "0 cert_info_${LABEL} - Verzeichnis ${CERT_BASE} nicht vorhanden, keine Zertifikate geprüft"
|
|
fi
|
|
done |