Add separate plugin to monitor letsencrypt certificates

99cb2cf5 · Jan Philipp Timme · 76702b1f · 99cb2cf5 · 99cb2cf5
Commit 99cb2cf5 authored 4 years ago by Jan Philipp Timme
--- a/checkmk/custom-files/local/monitor-letsencrypt-certificates
+++ b/checkmk/custom-files/local/monitor-letsencrypt-certificates
+#!/bin/bash
+# We need current time+date to check for remaining time on certificates
+NOW=$(date +%s)
+# WARN if less than this amount of days is left on the certificate
+CONFIG_WARN_DAYS_LEFT=16
+# CRIT if less than this amount of days is left on the certificate
+CONFIG_CRIT_DAYS_LEFT=8
+# List of folders to process *.pem files in
+# Example: CONFIG_CHECK_FOLDERS=( "/a/b/c" "/d/e/f" "/foo/bar/baz" )
+CONFIG_CHECK_FOLDERS=( "/etc/letsencrypt/live" )
+function process_folder {
+    folder="$1"
+    if [[ "" == "$folder" || ! -d "$folder" ]]; then
+        return
+    fi
+    pemfiles=$(find "$folder" -name 'cert.pem')
+    for pemfile in $pemfiles; do
+        pem_subject=$(openssl x509 -in "$pemfile" -noout -text 2>&1 | grep 'Subject:' | tr -s ' ' | cut -d ' ' -f 3-)
+        pem_cn=$(echo $pem_subject | rev | cut -d ' ' -f 1 | rev)
+        pem_expire_date=$(openssl x509 -in "$pemfile" -noout -text 2>&1 | grep 'Not After' | tr -s ' ' | cut -d ' ' -f 5-)
+        pem_expire_timestamp=$(date -d "$pem_expire_date" +%s)
+        pem_remaining_seconds=$(($pem_expire_timestamp - $NOW))
+        pem_remaining_days=$(($pem_remaining_seconds / 86400))
+        pem_status=""
+        checkmk_status="3"
+        if [[ $pem_remaining_days -lt 1 ]]; then
+            pem_status="EXPIRED"
+            checkmk_status="2"
+        else
+            pem_status="$pem_remaining_days days remaining"
+            # Default is OK, gets overridden by WARN, then by CRIT
+            checkmk_status="0"
+            if [[ $pem_remaining_days -le CONFIG_WARN_DAYS_LEFT ]]; then
+                checkmk_status="1"
+            fi
+            if [[ $pem_remaining_days -le CONFIG_CRIT_DAYS_LEFT ]]; then
+                checkmk_status="2"
+            fi
+        fi
+        echo "$checkmk_status Certificate_$pemfile - $pem_status (CN: $pem_cn)"
+    done
+}
+for folder in ${CONFIG_CHECK_FOLDERS[@]}; do
+    process_folder $folder
+done
--- a/checkmk/debian/monitor-letsencrypt-certificates.sls
+++ b/checkmk/debian/monitor-letsencrypt-certificates.sls
+hsh_checkmk_monitor_letsencrypt_certificates_plugin:
+  file.managed:
+    - name: /usr/lib/check_mk_agent/local/monitor-letsencrypt-certificates
+    - source: salt://checkmk/custom-files/local/monitor-letsencrypt-certificates
+    - mode: 755
+    - user: root
+    - group: root