diff --git a/files/nrpe/check_ssl_cert b/files/nrpe/check_ssl_cert new file mode 100644 index 0000000..57dd450 --- /dev/null +++ b/files/nrpe/check_ssl_cert @@ -0,0 +1,73 @@ +#!/bin/bash + +# Default thresholds (in days) +WARN_DAYS=30 +CRIT_DAYS=15 + +# Nagios Exit Codes +STATE_OK=0 +STATE_WARNING=1 +STATE_CRITICAL=2 +STATE_UNKNOWN=3 + +usage() { + echo "Usage: $0 -p [-w ] [-c ]" + exit $STATE_UNKNOWN +} + +# Parse arguments +while getopts "p:w:c:" opt; do + case $opt in + p) IFS=',' read -ra PATHS <<< "$OPTARG" ;; + w) WARN_DAYS=$OPTARG ;; + c) CRIT_DAYS=$OPTARG ;; + *) usage ;; + esac +done + +if [[ -z "${PATHS[*]}" ]]; then usage; fi + +# Variables to track overall status +final_status=$STATE_OK +output_msg="" + +for search_path in "${PATHS[@]}"; do + if [[ ! -d "$search_path" ]]; then + output_msg+="Path $search_path not found; " + final_status=$STATE_UNKNOWN + continue + fi + + # Find common cert extensions + certs=$(find "$search_path" -type f \( -name "*.crt" -o -name "*.pem" \)) + + for cert in $certs; do + # Extract expiration date using openssl + expiry_date=$(openssl x509 -enddate -noout -in "$cert" 2>/dev/null | cut -d= -f2) + + if [[ -z "$expiry_date" ]]; then continue; fi + + # Convert dates to seconds for comparison + expiry_epoch=$(date -d "$expiry_date" +%s) + now_epoch=$(date +%s) + expiry_diff=$(( (expiry_epoch - now_epoch) / 86400 )) + + # Logic for Nagios status + if [[ $expiry_diff -le $CRIT_DAYS ]]; then + output_msg+="$(basename "$cert") EXPIRES IN $expiry_diff DAYS; " + final_status=$STATE_CRITICAL + elif [[ $expiry_diff -le $WARN_DAYS ]]; then + output_msg+="$(basename "$cert") expires in $expiry_diff days; " + [[ $final_status -lt $STATE_WARNING ]] && final_status=$STATE_WARNING + fi + done +done + +# Final Output +if [[ $final_status -eq $STATE_OK ]]; then + echo "OK: All certificates are valid for more than $WARN_DAYS days." +else + echo "STATUS: $output_msg" +fi + +exit $final_status \ No newline at end of file