From 99cb2cf51d6ebdf3f21c4849aad148e4687c2fad Mon Sep 17 00:00:00 2001
From: Jan Philipp Timme <jan.philipp@timme.it>
Date: Fri, 9 Jul 2021 13:51:42 +0200
Subject: [PATCH] Add separate plugin to monitor letsencrypt certificates

---
 .../local/monitor-letsencrypt-certificates    | 51 +++++++++++++++++++
 .../monitor-letsencrypt-certificates.sls      |  7 +++
 2 files changed, 58 insertions(+)
 create mode 100644 checkmk/custom-files/local/monitor-letsencrypt-certificates
 create mode 100644 checkmk/debian/monitor-letsencrypt-certificates.sls

diff --git a/checkmk/custom-files/local/monitor-letsencrypt-certificates b/checkmk/custom-files/local/monitor-letsencrypt-certificates
new file mode 100644
index 0000000..aad3887
--- /dev/null
+++ b/checkmk/custom-files/local/monitor-letsencrypt-certificates
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# We need current time+date to check for remaining time on certificates
+NOW=$(date +%s)
+
+# WARN if less than this amount of days is left on the certificate
+CONFIG_WARN_DAYS_LEFT=16
+
+# CRIT if less than this amount of days is left on the certificate
+CONFIG_CRIT_DAYS_LEFT=8
+
+# List of folders to process *.pem files in
+# Example: CONFIG_CHECK_FOLDERS=( "/a/b/c" "/d/e/f" "/foo/bar/baz" )
+CONFIG_CHECK_FOLDERS=( "/etc/letsencrypt/live" )
+
+function process_folder {
+    folder="$1"
+    if [[ "" == "$folder" || ! -d "$folder" ]]; then
+        return
+    fi
+    pemfiles=$(find "$folder" -name 'cert.pem')
+    for pemfile in $pemfiles; do
+        pem_subject=$(openssl x509 -in "$pemfile" -noout -text 2>&1 | grep 'Subject:' | tr -s ' ' | cut -d ' ' -f 3-)
+        pem_cn=$(echo $pem_subject | rev | cut -d ' ' -f 1 | rev)
+        pem_expire_date=$(openssl x509 -in "$pemfile" -noout -text 2>&1 | grep 'Not After' | tr -s ' ' | cut -d ' ' -f 5-)
+        pem_expire_timestamp=$(date -d "$pem_expire_date" +%s)
+        pem_remaining_seconds=$(($pem_expire_timestamp - $NOW))
+        pem_remaining_days=$(($pem_remaining_seconds / 86400))
+        pem_status=""
+        checkmk_status="3"
+        if [[ $pem_remaining_days -lt 1 ]]; then
+            pem_status="EXPIRED"
+            checkmk_status="2"
+        else
+            pem_status="$pem_remaining_days days remaining"
+            # Default is OK, gets overridden by WARN, then by CRIT
+            checkmk_status="0"
+            if [[ $pem_remaining_days -le CONFIG_WARN_DAYS_LEFT ]]; then
+                checkmk_status="1"
+            fi
+            if [[ $pem_remaining_days -le CONFIG_CRIT_DAYS_LEFT ]]; then
+                checkmk_status="2"
+            fi
+        fi
+        echo "$checkmk_status Certificate_$pemfile - $pem_status (CN: $pem_cn)"
+    done
+}
+
+for folder in ${CONFIG_CHECK_FOLDERS[@]}; do
+    process_folder $folder
+done
diff --git a/checkmk/debian/monitor-letsencrypt-certificates.sls b/checkmk/debian/monitor-letsencrypt-certificates.sls
new file mode 100644
index 0000000..3093ea4
--- /dev/null
+++ b/checkmk/debian/monitor-letsencrypt-certificates.sls
@@ -0,0 +1,7 @@
+hsh_checkmk_monitor_letsencrypt_certificates_plugin:
+  file.managed:
+    - name: /usr/lib/check_mk_agent/local/monitor-letsencrypt-certificates
+    - source: salt://checkmk/custom-files/local/monitor-letsencrypt-certificates
+    - mode: 755
+    - user: root
+    - group: root
-- 
GitLab