Changes - j0ke.net Open Build Service

@@ -1,3 +1,15 @@ +2012-12-07 Matteo Corti <matteo.corti@id.ethz.ch> + + * fixed #122 (-N was always comparing the CN with 'localhost') + +2012-11-16 Matteo Corti <matteo.corti@id.ethz.ch> + + * simplified the sourcing of the script file for testing + +2012-10-11 Matteo Corti <matteo.corti@id.ethz.ch> + + * added some unit tests with shUnit2 + 2012-09-19 Matteo Corti <matteo.corti@id.ethz.ch> * check_ssl_cert: improved the "No certificate returned" error message

@@ -1,8 +1,13 @@ Simply copy the plugin to your nagios plugin directory +Optional installs: + In order to use timeouts the plugin needs 'expect' in the current PATH See: http://en.wikipedia.org/wiki/Expect +In order to perform date computations the plugin needs a Perl +interpreter and the module Date::Parse + # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $ # $Revision: 1103 $

@@ -28,7 +28,10 @@ clean: rm -f *~ -.PHONY: install clean +test: + ( cd test && ./unit_tests.sh ) + +.PHONY: install clean test # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $

@@ -1,3 +1,5 @@ +2012-12-07 Version 1.14.4 Fixed a bug causing -N to always compare the CN + with 'localhost' 2012-09-19 Version 1.14.3 Improved the error message in case of a failure in the certificate download 2012-07-13 Version 1.14.2 Added the name since or to expiration in the plugin

@@ -60,6 +60,14 @@ See: http://en.wikipedia.org/wiki/Expect +Perl and Date::Parse: +===================== + +If perl and Date::Parse are available the plugin will also compute for +how many days the certificate will be valid and put the information in +the performance data. If perl or Date::Parse are not available the +information will not be available. + Virtual servers: ================

@@ -1 +1 @@ -1.14.3 +1.14.4

@@ -19,15 +19,15 @@ # enable substitution with: # $ svn propset svn:keywords "Id Revision HeadURL Source Date" # -# $Id: check_ssl_cert 1316 2012-09-19 13:55:19Z corti $ -# $Revision: 1316 $ +# $Id: check_ssl_cert 1321 2012-12-07 07:24:19Z corti $ +# $Revision: 1321 $ # $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $ -# $Date: 2012-09-19 15:55:19 +0200 (Wed, 19 Sep 2012) $ +# $Date: 2012-12-07 08:24:19 +0100 (Fri, 07 Dec 2012) $ ################################################################################ # Constants -VERSION=1.14.3 +VERSION=1.14.4 SHORTNAME="SSL_CERT" VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint," @@ -232,616 +232,617 @@ } -################################################################################ -# Main -################################################################################ +main() { + + ################################################################################ + # Main + ################################################################################ -# default values -PORT=443 -TIMEOUT=15 -VERBOSE="" -OPENSSL="" - -# set the default temp dir if not set -if [ -z "${TMPDIR}" ] ; then - TMPDIR="/tmp" -fi + # default values + PORT=443 + TIMEOUT=15 + VERBOSE="" + OPENSSL="" -################################################################################ -# process command line options -# -# we do no use getopts since it is unable to process long options + # set the default temp dir if not set + if [ -z "${TMPDIR}" ] ; then + TMPDIR="/tmp" + fi + + ################################################################################ + # process command line options + # + # we do no use getopts since it is unable to process long options -while true; do + while true; do - case "$1" in + case "$1" in - ######################################## - # options without arguments + ######################################## + # options without arguments - -A|--noauth) NOAUTH=1; shift ;; + -A|--noauth) NOAUTH=1; shift ;; - --altnames) ALTNAMES=1; shift ;; + --altnames) ALTNAMES=1; shift ;; - -h|--help|-\?) usage; exit 0 ;; + -h|--help|-\?) usage; exit 0 ;; - -N|--host-cn) COMMON_NAME="__HOST__"; shift ;; + -N|--host-cn) COMMON_NAME="__HOST__"; shift ;; - -s|--selfsigned) SELFSIGNED=1; shift ;; + -s|--selfsigned) SELFSIGNED=1; shift ;; - -v|--verbose) VERBOSE=1; shift ;; + -v|--verbose) VERBOSE=1; shift ;; - -V|--version) echo "check_ssl_cert version ${VERSION}"; exit 3; ;; + -V|--version) echo "check_ssl_cert version ${VERSION}"; exit 3; ;; - ######################################## - # options with arguments + ######################################## + # options with arguments - -c|--critical) if [ $# -gt 1 ]; then - CRITICAL=$2; shift 2 - else - unknown "-c,--critical requires an argument" - fi ;; - - # deprecated option: used to be as --warning - -d|--days) if [ $# -gt 1 ]; then - WARNING=$2; shift 2 - else - unknown "-d,--days requires an argument" - fi ;; + -c|--critical) if [ $# -gt 1 ]; then + CRITICAL=$2; shift 2 + else + unknown "-c,--critical requires an argument" + fi ;; + + # deprecated option: used to be as --warning + -d|--days) if [ $# -gt 1 ]; then + WARNING=$2; shift 2 + else + unknown "-d,--days requires an argument" + fi ;; - -e|--email) if [ $# -gt 1 ]; then - ADDR=$2; shift 2 + -e|--email) if [ $# -gt 1 ]; then + ADDR=$2; shift 2 else unknown "-e,--email requires an argument" fi ;; - -f|--file) if [ $# -gt 1 ]; then - FILE=$2; shift 2 + -f|--file) if [ $# -gt 1 ]; then + FILE=$2; shift 2 else - unknown "-f,--file requires an argument" + unknown "-f,--file requires an argument" fi ;; - -H|--host) if [ $# -gt 1 ]; then - HOST=$2; shift 2 + -H|--host) if [ $# -gt 1 ]; then + HOST=$2; shift 2 else - unknown "-H,--host requires an argument" + unknown "-H,--host requires an argument" fi ;; - -i|--issuer) if [ $# -gt 1 ]; then - ISSUER=$2; shift 2 + -i|--issuer) if [ $# -gt 1 ]; then + ISSUER=$2; shift 2 else - unknown "-i,--issuer requires an argument" + unknown "-i,--issuer requires an argument" fi ;; - --long-output) if [ $# -gt 1 ]; then - LONG_OUTPUT_ATTR=$2; shift 2 + --long-output) if [ $# -gt 1 ]; then + LONG_OUTPUT_ATTR=$2; shift 2 else - unknown "--long-output requires an argument" + unknown "--long-output requires an argument" fi ;; - -n|--cn) if [ $# -gt 1 ]; then - COMMON_NAME=$2; shift 2 + -n|--cn) if [ $# -gt 1 ]; then + COMMON_NAME=$2; shift 2 else - unknown "-n,--cn requires an argument" + unknown "-n,--cn requires an argument" fi ;; - - -o|--org) if [ $# -gt 1 ]; then - ORGANIZATION=$2; shift 2 + -o|--org) if [ $# -gt 1 ]; then + ORGANIZATION=$2; shift 2 else - unknown "-o,--org requires an argument" + unknown "-o,--org requires an argument" fi ;; - --openssl) if [ $# -gt 1 ]; then - OPENSSL=$2; shift 2 + --openssl) if [ $# -gt 1 ]; then + OPENSSL=$2; shift 2 else - unknown "--openssl requires an argument" + unknown "--openssl requires an argument" fi ;; - -p|--port) if [ $# -gt 1 ]; then - PORT=$2; shift 2 + -p|--port) if [ $# -gt 1 ]; then + PORT=$2; shift 2 else - unknown "-p,--port requires an argument" + unknown "-p,--port requires an argument" fi ;; - -P|--protocol) if [ $# -gt 1 ]; then - PROTOCOL=$2; shift 2 + -P|--protocol) if [ $# -gt 1 ]; then + PROTOCOL=$2; shift 2 else - unknown "-P,--protocol requires an argument" + unknown "-P,--protocol requires an argument" fi ;; - -r|--rootcert) if [ $# -gt 1 ]; then - ROOT_CA=$2; shift 2 + -r|--rootcert) if [ $# -gt 1 ]; then + ROOT_CA=$2; shift 2 else - unknown "-r,--rootcert requires an argument" + unknown "-r,--rootcert requires an argument" fi ;; - -C|--clientcert) if [ $# -gt 1 ]; then - CLIENT_CERT=$2; shift 2 + -C|--clientcert) if [ $# -gt 1 ]; then + CLIENT_CERT=$2; shift 2 else - unknown "-c,--clientcert requires an argument" + unknown "-c,--clientcert requires an argument" fi ;; - --clientpass) if [ $# -gt 1 ]; then - CLIENT_PASS=$2; shift 2 + --clientpass) if [ $# -gt 1 ]; then + CLIENT_PASS=$2; shift 2 else - unknown "--clientpass requires an argument" + unknown "--clientpass requires an argument" fi ;; - -t|--timeout) if [ $# -gt 1 ]; then - TIMEOUT=$2; shift 2 + -t|--timeout) if [ $# -gt 1 ]; then + TIMEOUT=$2; shift 2 else unknown "-t,--timeout requires an argument" fi ;; - --temp) if [ $# -gt 1 ] ; then - # override TMPDIR - TMPDIR=$2; shift 2 + --temp) if [ $# -gt 1 ] ; then + # override TMPDIR + TMPDIR=$2; shift 2 else - unknown "--temp requires an argument" + unknown "--temp requires an argument" fi ;; - -w|--warning) if [ $# -gt 1 ]; then - WARNING=$2; shift 2 + -w|--warning) if [ $# -gt 1 ]; then + WARNING=$2; shift 2 else - unknown "-w,--warning requires an argument" + unknown "-w,--warning requires an argument" fi ;; - ######################################## - # special + ######################################## + # special - --) shift; break;; - -*) unknown "invalid option: $1" ;; - *) break;; + --) shift; break;; + -*) unknown "invalid option: $1" ;; + *) break;; - esac - -done - -################################################################################ -# Set COMMON_NAME to hostname if -N was given as argument -if [ "$COMMON_NAME" = "__HOST__" ] ; then - COMMON_NAME=$(hostname) -fi + esac -################################################################################ -# sanity checks + done -############### -# Check options -if [ -z "${HOST}" ] ; then - usage "No host specified" -fi + ################################################################################ + # Set COMMON_NAME to hostname if -N was given as argument + if [ "$COMMON_NAME" = "__HOST__" ] ; then + COMMON_NAME=${HOST} + fi -if [ -n "${ALTNAMES}" -a -z "${COMMON_NAME}" ] ; then - unknown "--altnames requires a common name to match (--cn or --host-cn)" -fi + ################################################################################ + # sanity checks -if [ -n "${ROOT_CA}" ] ; then - if [ ! -r ${ROOT_CA} ] ; then - unknown "Cannot read root certificate ${ROOT_CA}" - fi - if [ -d ${ROOT_CA} ] ; then - ROOT_CA="-CApath ${ROOT_CA}" - elif [ -f ${ROOT_CA} ] ; then - ROOT_CA="-CAfile ${ROOT_CA}" - else - unknown "Root certificate of unknown type $(file ${ROOT_CA} 2> /dev/null)" + ############### + # Check options + if [ -z "${HOST}" ] ; then + usage "No host specified" fi -fi -if [ -n "${CLIENT_CERT}" ] ; then - if [ ! -r ${CLIENT_CERT} ] ; then - unknown "Cannot read client certificate ${CLIENT_CERT}" + if [ -n "${ALTNAMES}" -a -z "${COMMON_NAME}" ] ; then + unknown "--altnames requires a common name to match (--cn or --host-cn)" fi -fi -if [ -n "${CRITICAL}" ] ; then - if ! echo "${CRITICAL}" | grep -q '[0-9][0-9]*' ; then - unknown "invalid number of days ${CRITICAL}" + if [ -n "${ROOT_CA}" ] ; then + if [ ! -r ${ROOT_CA} ] ; then + unknown "Cannot read root certificate ${ROOT_CA}" + fi + if [ -d ${ROOT_CA} ] ; then + ROOT_CA="-CApath ${ROOT_CA}" + elif [ -f ${ROOT_CA} ] ; then + ROOT_CA="-CAfile ${ROOT_CA}" + else + unknown "Root certificate of unknown type $(file ${ROOT_CA} 2> /dev/null)" + fi fi -fi - -if [ -n "${WARNING}" ] ; then - if ! echo ${WARNING} | grep -q '[0-9][0-9]*' ; then - unknown "invalid number of days ${WARNING}" + + if [ -n "${CLIENT_CERT}" ] ; then + if [ ! -r ${CLIENT_CERT} ] ; then + unknown "Cannot read client certificate ${CLIENT_CERT}" + fi fi -fi - -if [ -n "${CRITICAL}" -a -n "${WARNING}" ] ; then - if [ ${WARNING} -le ${CRITICAL} ] ; then - unknown "--warning (${WARNING}) is less than or equal to --critical (${CRITICAL})" + + if [ -n "${CRITICAL}" ] ; then + if ! echo "${CRITICAL}" | grep -q '[0-9][0-9]*' ; then + unknown "invalid number of days ${CRITICAL}" + fi fi -fi - -if [ -n "${TMPDIR}" ] ; then - if [ ! -d ${TMPDIR} ] ; then - unknown "${TMPDIR} is not a directory"; + + if [ -n "${WARNING}" ] ; then + if ! echo ${WARNING} | grep -q '[0-9][0-9]*' ; then + unknown "invalid number of days ${WARNING}" + fi fi - if [ ! -w ${TMPDIR} ] ; then - unknown "${TMPDIR} is not writable"; + + if [ -n "${CRITICAL}" -a -n "${WARNING}" ] ; then + if [ ${WARNING} -le ${CRITICAL} ] ; then + unknown "--warning (${WARNING}) is less than or equal to --critical (${CRITICAL})" + fi fi -fi - -if [ -n "${OPENSSL}" ] ; then - if [ ! -x ${OPENSSL} ] ; then - unknown "${OPENSSL} ist not an executable" + + if [ -n "${TMPDIR}" ] ; then + if [ ! -d ${TMPDIR} ] ; then + unknown "${TMPDIR} is not a directory"; + fi + if [ ! -w ${TMPDIR} ] ; then + unknown "${TMPDIR} is not writable"; + fi fi - if [ $(basename ${OPENSSL}) != 'openssl' ] ; then - unknown "${OPENSSL} ist not an openssl executable" + + if [ -n "${OPENSSL}" ] ; then + if [ ! -x ${OPENSSL} ] ; then + unknown "${OPENSSL} ist not an executable" + fi + if [ $(basename ${OPENSSL}) != 'openssl' ] ; then + unknown "${OPENSSL} ist not an openssl executable" + fi fi -fi + ####################### + # Check needed programs -####################### -# Check needed programs - -# OpenSSL -if [ -z "${OPENSSL}" ] ; then - check_required_prog openssl - OPENSSL=$PROG -fi - -# check if openssl s_client supports the -servername option -SERVERNAME= -if ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -servername ; then - SERVERNAME="-servername ${HOST}" -fi - -# Expect (optional) -EXPECT=$(which expect 2> /dev/null) -test -x "${EXPECT}" || EXPECT="" -if [ -z "${EXPECT}" -a -n "${VERBOSE}" ] ; then - echo "Expect not found: disabling timeouts" -fi - -# Perl with Date::Parse (optional) -PERL=$(which perl 2> /dev/null) -test -x "${PERL}" || PERL="" -if [ -z "${PERL}" -a -n "${VERBOSE}" ] ; then - echo "Perl not found: disabling date computations" -fi -if ! ${PERL} -e "use Date::Parse;" > /dev/null 2>&1 ; then - if [ -n "${VERBOSE}" ] ; then - echo "Perl module Date::Parse not installed: disabling date computations" + # OpenSSL + if [ -z "${OPENSSL}" ] ; then + check_required_prog openssl + OPENSSL=$PROG fi - PERL= -fi -################################################################################ -# check if openssl s_client supports the -servername option -# -# openssl s_client does not have a -help option -# => we supply an invalid command line option to get the help -# on standard error -# -SERVERNAME= -if ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -servername ; then - SERVERNAME="-servername ${HOST}" -else - if [ -n "${VERBOSE}" ] ; then - echo "'${OPENSSL} s_client' does not support '-servername': disabling virtual server support" + # Expect (optional) + EXPECT=$(which expect 2> /dev/null) + test -x "${EXPECT}" || EXPECT="" + if [ -z "${EXPECT}" -a -n "${VERBOSE}" ] ; then + echo "Expect not found: disabling timeouts" fi -fi - -################################################################################ -# fetch the X.509 certificate - -# temporary storage for the certificate and the errors -CERT=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) -if [ -z "${CERT}" ] || [ ! -w "${CERT}" ] ; then - unknown 'temporary file creation failure.' -fi - -ERROR=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) -if [ -z "${ERROR}" ] || [ ! -w "${ERROR}" ] ; then - unknown 'temporary file creation failure.' -fi - -if [ -n "${VERBOSE}" ] ; then - echo "downloading certificate to ${TMPDIR}" -fi - -CLIENT="" -if [ -n "${CLIENT_CERT}" ] ; then - CLIENT="-cert ${CLIENT_CERT}" -fi - -CLIENTPASS="" -if [ -n "${CLIENT_PASS}" ] ; then - CLIENTPASS="-pass pass:${CLIENT_PASS}" -fi - -# cleanup before program termination -# using named signals to be POSIX compliant -trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM - -fetch_certificate - -if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then - - if [ -n "${SERVERNAME}" ] ; then - - # some OpenSSL versions have problems with the -servername option - # we try without + # Perl with Date::Parse (optional) + PERL=$(which perl 2> /dev/null) + test -x "${PERL}" || PERL="" + if [ -z "${PERL}" -a -n "${VERBOSE}" ] ; then + echo "Perl not found: disabling date computations" + fi + if ! ${PERL} -e "use Date::Parse;" > /dev/null 2>&1 ; then if [ -n "${VERBOSE}" ] ; then - echo "'${OPENSSL} s_client' returned an error: trying without '-servername'" + echo "Perl module Date::Parse not installed: disabling date computations" fi - - SERVERNAME= - fetch_certificate - - fi - - if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then - - critical "cannot fetch certificate: OpenSSL got an unexpected message" - + PERL= fi - -fi - -if ! grep -q "CERTIFICATE" ${CERT} ; then - if [ -n "${FILE}" ] ; then - critical "'${FILE}' is not a valid certificate file" - else - - # See - # http://stackoverflow.com/questions/1251999/sed-how-can-i-replace-a-newline-n - # - # - create a branch label via :a - # - the N command appends a newline and and the next line of the input - # file to the pattern space - # - if we are before the last line, branch to the created label $!ba - # ($! means not to do it on the last line (as there should be one final newline)) - # - finally the substitution replaces every newline with a space on - # the pattern space - ERROR_MESSAGE=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' ${ERROR}) + ################################################################################ + # check if openssl s_client supports the -servername option + # + # openssl s_client does not have a -help option + # => we supply an invalid command line option to get the help + # on standard error + # + SERVERNAME= + if ${OPENSSL} s_client not_a_real_option 2>&1 | grep -q -- -servername ; then + SERVERNAME="-servername ${HOST}" + else if [ -n "${VERBOSE}" ] ; then - echo "Error: ${ERROR_MESSAGE}" + echo "'${OPENSSL} s_client' does not support '-servername': disabling virtual server support" fi - critical "No certificate returned (${ERROR_MESSAGE})" fi -fi - -################################################################################ -# parse the X.509 certificate - -DATE=$($OPENSSL x509 -in ${CERT} -enddate -noout | sed -e "s/^notAfter=//") -CN=$($OPENSSL x509 -in ${CERT} -subject -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*$//") - -CA_O=$($OPENSSL x509 -in ${CERT} -issuer -noout | sed -e "s/^.*\/O=//" -e "s/\/[A-Z][A-Z]*=.*$//") -CA_CN=$($OPENSSL x509 -in ${CERT} -issuer -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*$//") - - -################################################################################ -# Generate the long output -if [ -n "${LONG_OUTPUT_ATTR}" ] ; then - - check_attr() { - ATTR=$1 - if ! echo "${VALID_ATTRIBUTES}" | grep -q ",${ATTR}," ; then - unknown "Invalid certificate attribute: ${ATTR}" - else - value=$(${OPENSSL} x509 -in ${CERT} -noout -${ATTR} | sed -e "s/.*=//") - LONG_OUTPUT="${LONG_OUTPUT}\n${ATTR}: ${value}" - fi - - } - - # split on comma - if [ "${LONG_OUTPUT_ATTR}" = "all" ] ; then - LONG_OUTPUT_ATTR=${VALID_ATTRIBUTES} - fi - attributes=$( echo ${LONG_OUTPUT_ATTR} | tr ',' "\n" ) - for attribute in $attributes ; do - check_attr ${attribute} - done - -fi - -################################################################################ -# compute for how many days the certificate will be valid - -if [ -n "${PERL}" ] ; then - - CERT_END_DATE=$($OPENSSL x509 -in ${CERT} -noout -enddate | sed -e "s/.*=//") - - DAYS_VALID=$( perl - "${CERT_END_DATE}" <<-"EOF" - use strict; - use warnings; - - use Date::Parse; - - my $cert_date = str2time( $ARGV[0] ); - - my $days = int (( $cert_date - time ) / 86400 + 0.5); - - print "$days\n"; + ################################################################################ + # fetch the X.509 certificate + + # temporary storage for the certificate and the errors + + CERT=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) + if [ -z "${CERT}" ] || [ ! -w "${CERT}" ] ; then + unknown 'temporary file creation failure.' + fi + + ERROR=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) + if [ -z "${ERROR}" ] || [ ! -w "${ERROR}" ] ; then + unknown 'temporary file creation failure.' + fi -EOF -) - if [ -n "${VERBOSE}" ] ; then - if [ ${DAYS_VALID} -ge 0 ] ; then - echo "The certificate will expire in ${DAYS_VALID} day(s)" - else - echo "The certificate expired "$((- DAYS_VALID))" day(s) ago" + echo "downloading certificate to ${TMPDIR}" + fi + + CLIENT="" + if [ -n "${CLIENT_CERT}" ] ; then + CLIENT="-cert ${CLIENT_CERT}" + fi + + CLIENTPASS="" + if [ -n "${CLIENT_PASS}" ] ; then + CLIENTPASS="-pass pass:${CLIENT_PASS}" + fi + + # cleanup before program termination + # using named signals to be POSIX compliant + trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM + + fetch_certificate + + if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then + + if [ -n "${SERVERNAME}" ] ; then + + # some OpenSSL versions have problems with the -servername option + # we try without + if [ -n "${VERBOSE}" ] ; then + echo "'${OPENSSL} s_client' returned an error: trying without '-servername'" + fi + + SERVERNAME= + fetch_certificate + + fi + + if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then + + critical "cannot fetch certificate: OpenSSL got an unexpected message" + fi + + fi + + if ! grep -q "CERTIFICATE" ${CERT} ; then + if [ -n "${FILE}" ] ; then + critical "'${FILE}' is not a valid certificate file" + else + + # See + # http://stackoverflow.com/questions/1251999/sed-how-can-i-replace-a-newline-n + # + # - create a branch label via :a + # - the N command appends a newline and and the next line of the input + # file to the pattern space + # - if we are before the last line, branch to the created label $!ba + # ($! means not to do it on the last line (as there should be one final newline)) + # - finally the substitution replaces every newline with a space on + # the pattern space + ERROR_MESSAGE=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' ${ERROR}) + if [ -n "${VERBOSE}" ] ; then + echo "Error: ${ERROR_MESSAGE}" + fi + critical "No certificate returned (${ERROR_MESSAGE})" + fi fi - PERFORMANCE_DATA="|days=$DAYS_VALID;${WARNING};${CRITICAL};;" - -fi - - - -################################################################################ -# check the CN (this will not work as expected with wildcard certificates) - -if [ -n "$COMMON_NAME" ] ; then - - ok='' - - case $COMMON_NAME in - $CN) ok='true' ;; - esac - - # check alterante names - if [ -n "${ALTNAMES}" ] ; then - for alt_name in $( $OPENSSL x509 -in ${CERT} -text | \ - grep --after-context=1 '509v3 Subject Alternative Name:' | \ - tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g" ) ; do - case $COMMON_NAME in - $alt_name) ok='true' ;; - esac + ################################################################################ + # parse the X.509 certificate + + DATE=$($OPENSSL x509 -in ${CERT} -enddate -noout | sed -e "s/^notAfter=//") + CN=$($OPENSSL x509 -in ${CERT} -subject -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*$//") + + CA_O=$($OPENSSL x509 -in ${CERT} -issuer -noout | sed -e "s/^.*\/O=//" -e "s/\/[A-Z][A-Z]*=.*$//") + CA_CN=$($OPENSSL x509 -in ${CERT} -issuer -noout | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*$//") + + + ################################################################################ + # Generate the long output + if [ -n "${LONG_OUTPUT_ATTR}" ] ; then + + check_attr() { + ATTR=$1 + if ! echo "${VALID_ATTRIBUTES}" | grep -q ",${ATTR}," ; then + unknown "Invalid certificate attribute: ${ATTR}" + else + value=$(${OPENSSL} x509 -in ${CERT} -noout -${ATTR} | sed -e "s/.*=//") + LONG_OUTPUT="${LONG_OUTPUT}\n${ATTR}: ${value}" + fi + + } + + # split on comma + if [ "${LONG_OUTPUT_ATTR}" = "all" ] ; then + LONG_OUTPUT_ATTR=${VALID_ATTRIBUTES} + fi + attributes=$( echo ${LONG_OUTPUT_ATTR} | tr ',' "\n" ) + for attribute in $attributes ; do + check_attr ${attribute} done - fi - - if [ -z "$ok" ] ; then - critical "invalid CN ('$CN' does not match '$COMMON_NAME')" + fi -fi - -################################################################################ -# check the issuer - -if [ -n "$ISSUER" ] ; then - - ok='' - CA_ISSUER_MATCHED='' + ################################################################################ + # compute for how many days the certificate will be valid + + if [ -n "${PERL}" ] ; then + + CERT_END_DATE=$($OPENSSL x509 -in ${CERT} -noout -enddate | sed -e "s/.*=//") + + DAYS_VALID=$( perl - "${CERT_END_DATE}" <<-"EOF" + +use strict; +use warnings; + +use Date::Parse; + +my $cert_date = str2time( $ARGV[0] ); + +my $days = int (( $cert_date - time ) / 86400 + 0.5); + +print "$days\n"; + +EOF - if echo $CA_CN | grep -q "^$ISSUER$" ; then - ok='true' - CA_ISSUER_MATCHED="${CA_CN}" + ) + + if [ -n "${VERBOSE}" ] ; then + if [ ${DAYS_VALID} -ge 0 ] ; then + echo "The certificate will expire in ${DAYS_VALID} day(s)" + else + echo "The certificate expired "$((- DAYS_VALID))" day(s) ago" + fi + + fi + + PERFORMANCE_DATA="|days=$DAYS_VALID;${WARNING};${CRITICAL};;" + fi - - if echo $CA_O | grep -q "^$ISSUER$" ; then - ok='true' - CA_ISSUER_MATCHED="${CA_O}" + + + + ################################################################################ + # check the CN (this will not work as expected with wildcard certificates) + + if [ -n "$COMMON_NAME" ] ; then + + ok='' + + case $COMMON_NAME in + $CN) ok='true' ;; + esac + + # check alterante names + if [ -n "${ALTNAMES}" ] ; then + for alt_name in $( $OPENSSL x509 -in ${CERT} -text | \ + grep --after-context=1 '509v3 Subject Alternative Name:' | \ + tail -n 1 | sed -e "s/DNS://g" | sed -e "s/,//g" ) ; do + case $COMMON_NAME in + $alt_name) ok='true' ;; + esac + done + fi + + if [ -z "$ok" ] ; then + critical "invalid CN ('$CN' does not match '$COMMON_NAME')" + fi + fi - - if [ -z "$ok" ] ; then - critical "invalid CA ('$ISSUER' does not match '$CA_O' or '$CA_CN')" + + ################################################################################ + # check the issuer + + if [ -n "$ISSUER" ] ; then + + ok='' + CA_ISSUER_MATCHED='' + + if echo $CA_CN | grep -q "^$ISSUER$" ; then + ok='true' + CA_ISSUER_MATCHED="${CA_CN}" + fi + + if echo $CA_O | grep -q "^$ISSUER$" ; then + ok='true' + CA_ISSUER_MATCHED="${CA_O}" + fi + + if [ -z "$ok" ] ; then + critical "invalid CA ('$ISSUER' does not match '$CA_O' or '$CA_CN')" + fi + + else + + CA_ISSUER_MATCHED="${CA_CN}" + fi -else - - CA_ISSUER_MATCHED="${CA_CN}" - -fi - -################################################################################ -# check the validity - -# we always check expired certificates -if ! $OPENSSL x509 -in ${CERT} -noout -checkend 0 ; then - critical "certificate is expired (was valid until $DATE)" -fi - -if [ -n "${CRITICAL}" ] ; then - - if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${CRITICAL} * 86400 )) ; then - critical "certificate will expire on $DATE" + ################################################################################ + # check the validity + + # we always check expired certificates + if ! $OPENSSL x509 -in ${CERT} -noout -checkend 0 ; then + critical "certificate is expired (was valid until $DATE)" fi - -fi - -if [ -n "${WARNING}" ] ; then - - if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${WARNING} * 86400 )) ; then - warning "certificate will expire on $DATE" + + if [ -n "${CRITICAL}" ] ; then + + if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${CRITICAL} * 86400 )) ; then + critical "certificate will expire on $DATE" + fi + fi - -fi - -################################################################################ -# check the organization - -if [ -n "$ORGANIZATION" ] ; then - - ORG=$($OPENSSL x509 -in ${CERT} -subject -noout | sed -e "s/.*\/O=//" -e "s/\/.*//") - - if ! echo $ORG | grep -q "^$ORGANIZATION" ; then - critical "invalid organization ('$ORGANIZATION' does not match '$ORG')" + + if [ -n "${WARNING}" ] ; then + + if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${WARNING} * 86400 )) ; then + warning "certificate will expire on $DATE" + fi + fi - -fi - -################################################################################ -# check the organization - -if [ -n "$ADDR" ] ; then - - EMAIL=$($OPENSSL x509 -in ${CERT} -email -noout) - - if [ -n "${VERBOSE}" ] ; then - echo "checking email (${ADDR}): ${EMAIL}" + + ################################################################################ + # check the organization + + if [ -n "$ORGANIZATION" ] ; then + + ORG=$($OPENSSL x509 -in ${CERT} -subject -noout | sed -e "s/.*\/O=//" -e "s/\/.*//") + + if ! echo $ORG | grep -q "^$ORGANIZATION" ; then + critical "invalid organization ('$ORGANIZATION' does not match '$ORG')" + fi + fi - - if [ -z "${EMAIL}" ] ; then - critical "the certficate does not contain an email address" + + ################################################################################ + # check the organization + + if [ -n "$ADDR" ] ; then + + EMAIL=$($OPENSSL x509 -in ${CERT} -email -noout) + + if [ -n "${VERBOSE}" ] ; then + echo "checking email (${ADDR}): ${EMAIL}" + fi + + if [ -z "${EMAIL}" ] ; then + critical "the certficate does not contain an email address" + fi + + if ! echo $EMAIL | grep -q "^$ADDR" ; then + critical "invalid email ($ADDR does not match $EMAIL)" + fi + fi - - if ! echo $EMAIL | grep -q "^$ADDR" ; then - critical "invalid email ($ADDR does not match $EMAIL)" + + ################################################################################ + # Check if the certificate was verified + + if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then + + if grep -q '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' ${ERROR} ; then + + if [ -z "${SELFSIGNED}" ] ; then + critical "Cannot verify certificate\nself signed certificate" + else + SELFSIGNEDCERT="self signed " + fi + + else + + # process errors + details=$(grep '^verify\ error:' ${ERROR} | sed -e "s/verify\ error:num=[0-9]*:/verification error: /" ) + + critical "Cannot verify certificate\n${details}" + + fi + fi - -fi - -################################################################################ -# Check if the certificate was verified - -if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then - - if grep -q '^verify\ error:num=[0-9][0-9]*:self\ signed\ certificate' ${ERROR} ; then - - if [ -z "${SELFSIGNED}" ] ; then - critical "Cannot verify certificate\nself signed certificate" + + ################################################################################ + # If we get this far, assume all is well. :) + + # if --altnames was specified we show the specified CN instead of + # the certificate CN + if [ -n "${ALTNAMES}" -a -n "${COMMON_NAME}" ] ; then + CN=${COMMON_NAME} + fi + + if [ -n "${DAYS_VALID}" ] ; then + # nicer formatting + if [ ${DAYS_VALID} -gt 1 ] ; then + DAYS_VALID=" (expires in ${DAYS_VALID} days)" + elif [ ${DAYS_VALID} -eq 1 ] ; then + DAYS_VALID=" (expires tomorrow)" + elif [ ${DAYS_VALID} -eq 0 ] ; then + DAYS_VALID=" (expires today)" + elif [ ${DAYS_VALID} -eq -1 ] ; then + DAYS_VALID=" (expired yesterday)" else - SELFSIGNEDCERT="self signed " + DAYS_VALID=" (expired ${DAYS_VALID} days ago)" fi - - else - - # process errors - details=$(grep '^verify\ error:' ${ERROR} | sed -e "s/verify\ error:num=[0-9]*:/verification error: /" ) - - critical "Cannot verify certificate\n${details}" - fi + echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '${CN}' from '${CA_ISSUER_MATCHED}' valid until ${DATE}${DAYS_VALID}${PERFORMANCE_DATA}${LONG_OUTPUT}" + + exit 0 + +} + +if [ "${1}" != "--source-only" ]; then + main "${@}" fi - -################################################################################ -# If we get this far, assume all is well. :) - -# if --altnames was specified we show the specified CN instead of -# the certificate CN -if [ -n "${ALTNAMES}" -a -n "${COMMON_NAME}" ] ; then - CN=${COMMON_NAME} -fi - -if [ -n "${DAYS_VALID}" ] ; then - # nicer formatting - if [ ${DAYS_VALID} -gt 1 ] ; then - DAYS_VALID=" (expires in ${DAYS_VALID} days)" - elif [ ${DAYS_VALID} -eq 1 ] ; then - DAYS_VALID=" (expires tomorrow)" - elif [ ${DAYS_VALID} -eq 0 ] ; then - DAYS_VALID=" (expires today)" - elif [ ${DAYS_VALID} -eq -1 ] ; then - DAYS_VALID=" (expired yesterday)" - else - DAYS_VALID=" (expired ${DAYS_VALID} days ago)" - fi -fi - -echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '${CN}' from '${CA_ISSUER_MATCHED}' valid until ${DATE}${DAYS_VALID}${PERFORMANCE_DATA}${LONG_OUTPUT}" - -exit 0

@@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii foo.1 .\" -.TH "check_ssl_cert" 1 "July, 2012" "1.14.3" "USER COMMANDS" +.TH "check_ssl_cert" 1 "July, 2012" "1.14.4" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS

@@ -6,7 +6,7 @@ # $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $ ################################################################################ -%define version 1.14.3 +%define version 1.14.4 %define release 0 %define sourcename check_ssl_cert %define packagename nagios-plugins-check_ssl_cert @@ -53,6 +53,9 @@ %{_mandir}/man1/%{sourcename}.1* %changelog +* Fri Dec 7 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.14.4-0 +- Updated to 1.14.4 (bug fix release) + * Wed Sep 19 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.14.3-0 - Updated to 1.14.3

[-] [+]	Changed	check_ssl_cert.changes
@@ -1,4 +1,9 @@ ------------------------------------------------------------------- +Sat Dec 8 10:37:58 UTC 2012 - cs@linux-administrator.com + +- update to 1.14.4 + +------------------------------------------------------------------- Sun Sep 23 19:08:02 UTC 2012 - cs@linux-administrator.com - update to 1.14.3
[-] [+]	Changed	check_ssl_cert.spec ^
@@ -1,4 +1,4 @@ -%define version 1.14.3 +%define version 1.14.4 %define release 1 %define name check_ssl_cert %define _nagdir %{_prefix}/lib/nagios
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/ChangeLog ^
@@ -1,3 +1,15 @@ +2012-12-07 Matteo Corti <matteo.corti@id.ethz.ch> + + * fixed #122 (-N was always comparing the CN with 'localhost') + +2012-11-16 Matteo Corti <matteo.corti@id.ethz.ch> + + * simplified the sourcing of the script file for testing + +2012-10-11 Matteo Corti <matteo.corti@id.ethz.ch> + + * added some unit tests with shUnit2 + 2012-09-19 Matteo Corti <matteo.corti@id.ethz.ch> * check_ssl_cert: improved the "No certificate returned" error message
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/INSTALL ^
@@ -1,8 +1,13 @@ Simply copy the plugin to your nagios plugin directory +Optional installs: + In order to use timeouts the plugin needs 'expect' in the current PATH See: http://en.wikipedia.org/wiki/Expect +In order to perform date computations the plugin needs a Perl +interpreter and the module Date::Parse + # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $ # $Revision: 1103 $
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/Makefile ^
@@ -28,7 +28,10 @@ clean: rm -f *~ -.PHONY: install clean +test: + ( cd test && ./unit_tests.sh ) + +.PHONY: install clean test # File version information: # $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/NEWS ^
@@ -1,3 +1,5 @@ +2012-12-07 Version 1.14.4 Fixed a bug causing -N to always compare the CN + with 'localhost' 2012-09-19 Version 1.14.3 Improved the error message in case of a failure in the certificate download 2012-07-13 Version 1.14.2 Added the name since or to expiration in the plugin
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/README ^
@@ -60,6 +60,14 @@ See: http://en.wikipedia.org/wiki/Expect +Perl and Date::Parse: +===================== + +If perl and Date::Parse are available the plugin will also compute for +how many days the certificate will be valid and put the information in +the performance data. If perl or Date::Parse are not available the +information will not be available. + Virtual servers: ================
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/VERSION ^
@@ -1 +1 @@ -1.14.3 +1.14.4
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/check_ssl_cert ^
@@ -19,15 +19,15 @@ # enable substitution with: # $ svn propset svn:keywords "Id Revision HeadURL Source Date" # -# $Id: check_ssl_cert 1316 2012-09-19 13:55:19Z corti $ -# $Revision: 1316 $ +# $Id: check_ssl_cert 1321 2012-12-07 07:24:19Z corti $ +# $Revision: 1321 $ # $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_ssl_cert/check_ssl_cert $ -# $Date: 2012-09-19 15:55:19 +0200 (Wed, 19 Sep 2012) $ +# $Date: 2012-12-07 08:24:19 +0100 (Fri, 07 Dec 2012) $ ################################################################################ # Constants -VERSION=1.14.3 +VERSION=1.14.4 SHORTNAME="SSL_CERT" VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint," @@ -232,616 +232,617 @@ } -################################################################################ -# Main -################################################################################ +main() { + + ################################################################################ + # Main + ################################################################################ -# default values -PORT=443 -TIMEOUT=15 -VERBOSE="" -OPENSSL="" - -# set the default temp dir if not set -if [ -z "${TMPDIR}" ] ; then - TMPDIR="/tmp" -fi + # default values + PORT=443 + TIMEOUT=15 + VERBOSE="" + OPENSSL="" -################################################################################ -# process command line options -# -# we do no use getopts since it is unable to process long options + # set the default temp dir if not set + if [ -z "${TMPDIR}" ] ; then + TMPDIR="/tmp" + fi + + ################################################################################ + # process command line options + # + # we do no use getopts since it is unable to process long options -while true; do + while true; do - case "$1" in + case "$1" in - ######################################## - # options without arguments + ######################################## + # options without arguments - -A\|--noauth) NOAUTH=1; shift ;; + -A\|--noauth) NOAUTH=1; shift ;; - --altnames) ALTNAMES=1; shift ;; + --altnames) ALTNAMES=1; shift ;; - -h\|--help\|-\?) usage; exit 0 ;; + -h\|--help\|-\?) usage; exit 0 ;; - -N\|--host-cn) COMMON_NAME="__HOST__"; shift ;; + -N\|--host-cn) COMMON_NAME="__HOST__"; shift ;; - -s\|--selfsigned) SELFSIGNED=1; shift ;; + -s\|--selfsigned) SELFSIGNED=1; shift ;; - -v\|--verbose) VERBOSE=1; shift ;; + -v\|--verbose) VERBOSE=1; shift ;; - -V\|--version) echo "check_ssl_cert version ${VERSION}"; exit 3; ;; + -V\|--version) echo "check_ssl_cert version ${VERSION}"; exit 3; ;; - ######################################## - # options with arguments + ######################################## + # options with arguments - -c\|--critical) if [ $# -gt 1 ]; then - CRITICAL=$2; shift 2 - else - unknown "-c,--critical requires an argument" - fi ;; - - # deprecated option: used to be as --warning - -d\|--days) if [ $# -gt 1 ]; then - WARNING=$2; shift 2 - else - unknown "-d,--days requires an argument" - fi ;; + -c\|--critical) if [ $# -gt 1 ]; then + CRITICAL=$2; shift 2 + else + unknown "-c,--critical requires an argument" + fi ;; + + # deprecated option: used to be as --warning + -d\|--days) if [ $# -gt 1 ]; then + WARNING=$2; shift 2 + else + unknown "-d,--days requires an argument" + fi ;; - -e\|--email) if [ $# -gt 1 ]; then - ADDR=$2; shift 2 + -e\|--email) if [ $# -gt 1 ]; then + ADDR=$2; shift 2 else unknown "-e,--email requires an argument" fi ;; - -f\|--file) if [ $# -gt 1 ]; then - FILE=$2; shift 2 + -f\|--file) if [ $# -gt 1 ]; then + FILE=$2; shift 2 else - unknown "-f,--file requires an argument" + unknown "-f,--file requires an argument" fi ;; - -H\|--host) if [ $# -gt 1 ]; then - HOST=$2; shift 2 + -H\|--host) if [ $# -gt 1 ]; then + HOST=$2; shift 2 else - unknown "-H,--host requires an argument" + unknown "-H,--host requires an argument" fi ;; - -i\|--issuer) if [ $# -gt 1 ]; then - ISSUER=$2; shift 2 + -i\|--issuer) if [ $# -gt 1 ]; then + ISSUER=$2; shift 2 else - unknown "-i,--issuer requires an argument" + unknown "-i,--issuer requires an argument" fi ;; - --long-output) if [ $# -gt 1 ]; then - LONG_OUTPUT_ATTR=$2; shift 2 + --long-output) if [ $# -gt 1 ]; then + LONG_OUTPUT_ATTR=$2; shift 2 else - unknown "--long-output requires an argument" + unknown "--long-output requires an argument" fi ;; - -n\|--cn) if [ $# -gt 1 ]; then - COMMON_NAME=$2; shift 2 + -n\|--cn) if [ $# -gt 1 ]; then + COMMON_NAME=$2; shift 2 else - unknown "-n,--cn requires an argument" + unknown "-n,--cn requires an argument" fi ;; - - -o\|--org) if [ $# -gt 1 ]; then - ORGANIZATION=$2; shift 2 + -o\|--org) if [ $# -gt 1 ]; then + ORGANIZATION=$2; shift 2 else - unknown "-o,--org requires an argument" + unknown "-o,--org requires an argument" fi ;; - --openssl) if [ $# -gt 1 ]; then - OPENSSL=$2; shift 2 + --openssl) if [ $# -gt 1 ]; then + OPENSSL=$2; shift 2 else - unknown "--openssl requires an argument" + unknown "--openssl requires an argument" fi ;; - -p\|--port) if [ $# -gt 1 ]; then - PORT=$2; shift 2 + -p\|--port) if [ $# -gt 1 ]; then + PORT=$2; shift 2 else - unknown "-p,--port requires an argument" + unknown "-p,--port requires an argument" fi ;; - -P\|--protocol) if [ $# -gt 1 ]; then - PROTOCOL=$2; shift 2 + -P\|--protocol) if [ $# -gt 1 ]; then + PROTOCOL=$2; shift 2 else - unknown "-P,--protocol requires an argument" + unknown "-P,--protocol requires an argument" fi ;; - -r\|--rootcert) if [ $# -gt 1 ]; then - ROOT_CA=$2; shift 2 + -r\|--rootcert) if [ $# -gt 1 ]; then + ROOT_CA=$2; shift 2 else - unknown "-r,--rootcert requires an argument" + unknown "-r,--rootcert requires an argument" fi ;; - -C\|--clientcert) if [ $# -gt 1 ]; then - CLIENT_CERT=$2; shift 2 + -C\|--clientcert) if [ $# -gt 1 ]; then + CLIENT_CERT=$2; shift 2 else - unknown "-c,--clientcert requires an argument" + unknown "-c,--clientcert requires an argument" fi ;; - --clientpass) if [ $# -gt 1 ]; then - CLIENT_PASS=$2; shift 2 + --clientpass) if [ $# -gt 1 ]; then + CLIENT_PASS=$2; shift 2 else - unknown "--clientpass requires an argument" + unknown "--clientpass requires an argument" fi ;; - -t\|--timeout) if [ $# -gt 1 ]; then - TIMEOUT=$2; shift 2 + -t\|--timeout) if [ $# -gt 1 ]; then + TIMEOUT=$2; shift 2 else unknown "-t,--timeout requires an argument" fi ;; - --temp) if [ $# -gt 1 ] ; then - # override TMPDIR - TMPDIR=$2; shift 2 + --temp) if [ $# -gt 1 ] ; then + # override TMPDIR + TMPDIR=$2; shift 2 else - unknown "--temp requires an argument" + unknown "--temp requires an argument" fi ;; - -w\|--warning) if [ $# -gt 1 ]; then - WARNING=$2; shift 2 + -w\|--warning) if [ $# -gt 1 ]; then + WARNING=$2; shift 2 else - unknown "-w,--warning requires an argument" + unknown "-w,--warning requires an argument" fi ;; - ######################################## - # special + ######################################## + # special - --) shift; break;; - -) unknown "invalid option: $1" ;; - ) break;; + --) shift; break;; + -) unknown "invalid option: $1" ;; + ) break;; - esac - -done - -################################################################################ -# Set COMMON_NAME to hostname if -N was given as argument -if [ "$COMMON_NAME" = "__HOST__" ] ; then - COMMON_NAME=$(hostname) -fi + esac -################################################################################ -# sanity checks + done -############### -# Check options -if [ -z "${HOST}" ] ; then - usage "No host specified" -fi + ################################################################################ + # Set COMMON_NAME to hostname if -N was given as argument + if [ "$COMMON_NAME" = "__HOST__" ] ; then + COMMON_NAME=${HOST} + fi -if [ -n "${ALTNAMES}" -a -z "${COMMON_NAME}" ] ; then - unknown "--altnames requires a common name to match (--cn or --host-cn)" -fi + ################################################################################ + # sanity checks -if [ -n "${ROOT_CA}" ] ; then - if [ ! -r ${ROOT_CA} ] ; then - unknown "Cannot read root certificate ${ROOT_CA}" - fi - if [ -d ${ROOT_CA} ] ; then - ROOT_CA="-CApath ${ROOT_CA}" - elif [ -f ${ROOT_CA} ] ; then - ROOT_CA="-CAfile ${ROOT_CA}" - else - unknown "Root certificate of unknown type $(file ${ROOT_CA} 2> /dev/null)" + ############### + # Check options + if [ -z "${HOST}" ] ; then + usage "No host specified" fi -fi -if [ -n "${CLIENT_CERT}" ] ; then - if [ ! -r ${CLIENT_CERT} ] ; then - unknown "Cannot read client certificate ${CLIENT_CERT}" + if [ -n "${ALTNAMES}" -a -z "${COMMON_NAME}" ] ; then + unknown "--altnames requires a common name to match (--cn or --host-cn)" fi -fi -if [ -n "${CRITICAL}" ] ; then - if ! echo "${CRITICAL}" \| grep -q '[0-9][0-9]' ; then - unknown "invalid number of days ${CRITICAL}" + if [ -n "${ROOT_CA}" ] ; then + if [ ! -r ${ROOT_CA} ] ; then + unknown "Cannot read root certificate ${ROOT_CA}" + fi + if [ -d ${ROOT_CA} ] ; then + ROOT_CA="-CApath ${ROOT_CA}" + elif [ -f ${ROOT_CA} ] ; then + ROOT_CA="-CAfile ${ROOT_CA}" + else + unknown "Root certificate of unknown type $(file ${ROOT_CA} 2> /dev/null)" + fi fi -fi - -if [ -n "${WARNING}" ] ; then - if ! echo ${WARNING} \| grep -q '[0-9][0-9]' ; then - unknown "invalid number of days ${WARNING}" + + if [ -n "${CLIENT_CERT}" ] ; then + if [ ! -r ${CLIENT_CERT} ] ; then + unknown "Cannot read client certificate ${CLIENT_CERT}" + fi fi -fi - -if [ -n "${CRITICAL}" -a -n "${WARNING}" ] ; then - if [ ${WARNING} -le ${CRITICAL} ] ; then - unknown "--warning (${WARNING}) is less than or equal to --critical (${CRITICAL})" + + if [ -n "${CRITICAL}" ] ; then + if ! echo "${CRITICAL}" \| grep -q '[0-9][0-9]' ; then + unknown "invalid number of days ${CRITICAL}" + fi fi -fi - -if [ -n "${TMPDIR}" ] ; then - if [ ! -d ${TMPDIR} ] ; then - unknown "${TMPDIR} is not a directory"; + + if [ -n "${WARNING}" ] ; then + if ! echo ${WARNING} \| grep -q '[0-9][0-9]' ; then + unknown "invalid number of days ${WARNING}" + fi fi - if [ ! -w ${TMPDIR} ] ; then - unknown "${TMPDIR} is not writable"; + + if [ -n "${CRITICAL}" -a -n "${WARNING}" ] ; then + if [ ${WARNING} -le ${CRITICAL} ] ; then + unknown "--warning (${WARNING}) is less than or equal to --critical (${CRITICAL})" + fi fi -fi - -if [ -n "${OPENSSL}" ] ; then - if [ ! -x ${OPENSSL} ] ; then - unknown "${OPENSSL} ist not an executable" + + if [ -n "${TMPDIR}" ] ; then + if [ ! -d ${TMPDIR} ] ; then + unknown "${TMPDIR} is not a directory"; + fi + if [ ! -w ${TMPDIR} ] ; then + unknown "${TMPDIR} is not writable"; + fi fi - if [ $(basename ${OPENSSL}) != 'openssl' ] ; then - unknown "${OPENSSL} ist not an openssl executable" + + if [ -n "${OPENSSL}" ] ; then + if [ ! -x ${OPENSSL} ] ; then + unknown "${OPENSSL} ist not an executable" + fi + if [ $(basename ${OPENSSL}) != 'openssl' ] ; then + unknown "${OPENSSL} ist not an openssl executable" + fi fi -fi + ####################### + # Check needed programs -####################### -# Check needed programs - -# OpenSSL -if [ -z "${OPENSSL}" ] ; then - check_required_prog openssl - OPENSSL=$PROG -fi - -# check if openssl s_client supports the -servername option -SERVERNAME= -if ${OPENSSL} s_client not_a_real_option 2>&1 \| grep -q -- -servername ; then - SERVERNAME="-servername ${HOST}" -fi - -# Expect (optional) -EXPECT=$(which expect 2> /dev/null) -test -x "${EXPECT}" \|\| EXPECT="" -if [ -z "${EXPECT}" -a -n "${VERBOSE}" ] ; then - echo "Expect not found: disabling timeouts" -fi - -# Perl with Date::Parse (optional) -PERL=$(which perl 2> /dev/null) -test -x "${PERL}" \|\| PERL="" -if [ -z "${PERL}" -a -n "${VERBOSE}" ] ; then - echo "Perl not found: disabling date computations" -fi -if ! ${PERL} -e "use Date::Parse;" > /dev/null 2>&1 ; then - if [ -n "${VERBOSE}" ] ; then - echo "Perl module Date::Parse not installed: disabling date computations" + # OpenSSL + if [ -z "${OPENSSL}" ] ; then + check_required_prog openssl + OPENSSL=$PROG fi - PERL= -fi -################################################################################ -# check if openssl s_client supports the -servername option -# -# openssl s_client does not have a -help option -# => we supply an invalid command line option to get the help -# on standard error -# -SERVERNAME= -if ${OPENSSL} s_client not_a_real_option 2>&1 \| grep -q -- -servername ; then - SERVERNAME="-servername ${HOST}" -else - if [ -n "${VERBOSE}" ] ; then - echo "'${OPENSSL} s_client' does not support '-servername': disabling virtual server support" + # Expect (optional) + EXPECT=$(which expect 2> /dev/null) + test -x "${EXPECT}" \|\| EXPECT="" + if [ -z "${EXPECT}" -a -n "${VERBOSE}" ] ; then + echo "Expect not found: disabling timeouts" fi -fi - -################################################################################ -# fetch the X.509 certificate - -# temporary storage for the certificate and the errors -CERT=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) -if [ -z "${CERT}" ] \|\| [ ! -w "${CERT}" ] ; then - unknown 'temporary file creation failure.' -fi - -ERROR=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) -if [ -z "${ERROR}" ] \|\| [ ! -w "${ERROR}" ] ; then - unknown 'temporary file creation failure.' -fi - -if [ -n "${VERBOSE}" ] ; then - echo "downloading certificate to ${TMPDIR}" -fi - -CLIENT="" -if [ -n "${CLIENT_CERT}" ] ; then - CLIENT="-cert ${CLIENT_CERT}" -fi - -CLIENTPASS="" -if [ -n "${CLIENT_PASS}" ] ; then - CLIENTPASS="-pass pass:${CLIENT_PASS}" -fi - -# cleanup before program termination -# using named signals to be POSIX compliant -trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM - -fetch_certificate - -if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then - - if [ -n "${SERVERNAME}" ] ; then - - # some OpenSSL versions have problems with the -servername option - # we try without + # Perl with Date::Parse (optional) + PERL=$(which perl 2> /dev/null) + test -x "${PERL}" \|\| PERL="" + if [ -z "${PERL}" -a -n "${VERBOSE}" ] ; then + echo "Perl not found: disabling date computations" + fi + if ! ${PERL} -e "use Date::Parse;" > /dev/null 2>&1 ; then if [ -n "${VERBOSE}" ] ; then - echo "'${OPENSSL} s_client' returned an error: trying without '-servername'" + echo "Perl module Date::Parse not installed: disabling date computations" fi - - SERVERNAME= - fetch_certificate - - fi - - if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then - - critical "cannot fetch certificate: OpenSSL got an unexpected message" - + PERL= fi - -fi - -if ! grep -q "CERTIFICATE" ${CERT} ; then - if [ -n "${FILE}" ] ; then - critical "'${FILE}' is not a valid certificate file" - else - - # See - # http://stackoverflow.com/questions/1251999/sed-how-can-i-replace-a-newline-n - # - # - create a branch label via :a - # - the N command appends a newline and and the next line of the input - # file to the pattern space - # - if we are before the last line, branch to the created label $!ba - # ($! means not to do it on the last line (as there should be one final newline)) - # - finally the substitution replaces every newline with a space on - # the pattern space - ERROR_MESSAGE=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' ${ERROR}) + ################################################################################ + # check if openssl s_client supports the -servername option + # + # openssl s_client does not have a -help option + # => we supply an invalid command line option to get the help + # on standard error + # + SERVERNAME= + if ${OPENSSL} s_client not_a_real_option 2>&1 \| grep -q -- -servername ; then + SERVERNAME="-servername ${HOST}" + else if [ -n "${VERBOSE}" ] ; then - echo "Error: ${ERROR_MESSAGE}" + echo "'${OPENSSL} s_client' does not support '-servername': disabling virtual server support" fi - critical "No certificate returned (${ERROR_MESSAGE})" fi -fi - -################################################################################ -# parse the X.509 certificate - -DATE=$($OPENSSL x509 -in ${CERT} -enddate -noout \| sed -e "s/^notAfter=//") -CN=$($OPENSSL x509 -in ${CERT} -subject -noout \| sed -e "s/^.\/CN=//" -e "s/\/[A-Za-z][A-Za-z]=.$//") - -CA_O=$($OPENSSL x509 -in ${CERT} -issuer -noout \| sed -e "s/^.\/O=//" -e "s/\/[A-Z][A-Z]=.$//") -CA_CN=$($OPENSSL x509 -in ${CERT} -issuer -noout \| sed -e "s/^.\/CN=//" -e "s/\/[A-Za-z][A-Za-z]=.$//") - - -################################################################################ -# Generate the long output -if [ -n "${LONG_OUTPUT_ATTR}" ] ; then - - check_attr() { - ATTR=$1 - if ! echo "${VALID_ATTRIBUTES}" \| grep -q ",${ATTR}," ; then - unknown "Invalid certificate attribute: ${ATTR}" - else - value=$(${OPENSSL} x509 -in ${CERT} -noout -${ATTR} \| sed -e "s/.=//") - LONG_OUTPUT="${LONG_OUTPUT}\n${ATTR}: ${value}" - fi - - } - - # split on comma - if [ "${LONG_OUTPUT_ATTR}" = "all" ] ; then - LONG_OUTPUT_ATTR=${VALID_ATTRIBUTES} - fi - attributes=$( echo ${LONG_OUTPUT_ATTR} \| tr ',' "\n" ) - for attribute in $attributes ; do - check_attr ${attribute} - done - -fi - -################################################################################ -# compute for how many days the certificate will be valid - -if [ -n "${PERL}" ] ; then - - CERT_END_DATE=$($OPENSSL x509 -in ${CERT} -noout -enddate \| sed -e "s/.=//") - - DAYS_VALID=$( perl - "${CERT_END_DATE}" <<-"EOF" - use strict; - use warnings; - - use Date::Parse; - - my $cert_date = str2time( $ARGV[0] ); - - my $days = int (( $cert_date - time ) / 86400 + 0.5); - - print "$days\n"; + ################################################################################ + # fetch the X.509 certificate + + # temporary storage for the certificate and the errors + + CERT=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) + if [ -z "${CERT}" ] \|\| [ ! -w "${CERT}" ] ; then + unknown 'temporary file creation failure.' + fi + + ERROR=$( mktemp -t "$( basename $0 )XXXXXX" 2> /dev/null ) + if [ -z "${ERROR}" ] \|\| [ ! -w "${ERROR}" ] ; then + unknown 'temporary file creation failure.' + fi -EOF -) - if [ -n "${VERBOSE}" ] ; then - if [ ${DAYS_VALID} -ge 0 ] ; then - echo "The certificate will expire in ${DAYS_VALID} day(s)" - else - echo "The certificate expired "$((- DAYS_VALID))" day(s) ago" + echo "downloading certificate to ${TMPDIR}" + fi + + CLIENT="" + if [ -n "${CLIENT_CERT}" ] ; then + CLIENT="-cert ${CLIENT_CERT}" + fi + + CLIENTPASS="" + if [ -n "${CLIENT_PASS}" ] ; then + CLIENTPASS="-pass pass:${CLIENT_PASS}" + fi + + # cleanup before program termination + # using named signals to be POSIX compliant + trap "rm -f $CERT $ERROR" EXIT HUP INT QUIT TERM + + fetch_certificate + + if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then + + if [ -n "${SERVERNAME}" ] ; then + + # some OpenSSL versions have problems with the -servername option + # we try without + if [ -n "${VERBOSE}" ] ; then + echo "'${OPENSSL} s_client' returned an error: trying without '-servername'" + fi + + SERVERNAME= + fetch_certificate + + fi + + if grep -q 'sslv3\ alert\ unexpected\ message' ${ERROR} ; then + + critical "cannot fetch certificate: OpenSSL got an unexpected message" + fi + + fi + + if ! grep -q "CERTIFICATE" ${CERT} ; then + if [ -n "${FILE}" ] ; then + critical "'${FILE}' is not a valid certificate file" + else + + # See + # http://stackoverflow.com/questions/1251999/sed-how-can-i-replace-a-newline-n + # + # - create a branch label via :a + # - the N command appends a newline and and the next line of the input + # file to the pattern space + # - if we are before the last line, branch to the created label $!ba + # ($! means not to do it on the last line (as there should be one final newline)) + # - finally the substitution replaces every newline with a space on + # the pattern space + ERROR_MESSAGE=$(sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/; /g' ${ERROR}) + if [ -n "${VERBOSE}" ] ; then + echo "Error: ${ERROR_MESSAGE}" + fi + critical "No certificate returned (${ERROR_MESSAGE})" + fi fi - PERFORMANCE_DATA="\|days=$DAYS_VALID;${WARNING};${CRITICAL};;" - -fi - - - -################################################################################ -# check the CN (this will not work as expected with wildcard certificates) - -if [ -n "$COMMON_NAME" ] ; then - - ok='' - - case $COMMON_NAME in - $CN) ok='true' ;; - esac - - # check alterante names - if [ -n "${ALTNAMES}" ] ; then - for alt_name in $( $OPENSSL x509 -in ${CERT} -text \| \ - grep --after-context=1 '509v3 Subject Alternative Name:' \| \ - tail -n 1 \| sed -e "s/DNS://g" \| sed -e "s/,//g" ) ; do - case $COMMON_NAME in - $alt_name) ok='true' ;; - esac + ################################################################################ + # parse the X.509 certificate + + DATE=$($OPENSSL x509 -in ${CERT} -enddate -noout \| sed -e "s/^notAfter=//") + CN=$($OPENSSL x509 -in ${CERT} -subject -noout \| sed -e "s/^.\/CN=//" -e "s/\/[A-Za-z][A-Za-z]=.$//") + + CA_O=$($OPENSSL x509 -in ${CERT} -issuer -noout \| sed -e "s/^.\/O=//" -e "s/\/[A-Z][A-Z]=.$//") + CA_CN=$($OPENSSL x509 -in ${CERT} -issuer -noout \| sed -e "s/^.\/CN=//" -e "s/\/[A-Za-z][A-Za-z]=.$//") + + + ################################################################################ + # Generate the long output + if [ -n "${LONG_OUTPUT_ATTR}" ] ; then + + check_attr() { + ATTR=$1 + if ! echo "${VALID_ATTRIBUTES}" \| grep -q ",${ATTR}," ; then + unknown "Invalid certificate attribute: ${ATTR}" + else + value=$(${OPENSSL} x509 -in ${CERT} -noout -${ATTR} \| sed -e "s/.=//") + LONG_OUTPUT="${LONG_OUTPUT}\n${ATTR}: ${value}" + fi + + } + + # split on comma + if [ "${LONG_OUTPUT_ATTR}" = "all" ] ; then + LONG_OUTPUT_ATTR=${VALID_ATTRIBUTES} + fi + attributes=$( echo ${LONG_OUTPUT_ATTR} \| tr ',' "\n" ) + for attribute in $attributes ; do + check_attr ${attribute} done - fi - - if [ -z "$ok" ] ; then - critical "invalid CN ('$CN' does not match '$COMMON_NAME')" + fi -fi - -################################################################################ -# check the issuer - -if [ -n "$ISSUER" ] ; then - - ok='' - CA_ISSUER_MATCHED='' + ################################################################################ + # compute for how many days the certificate will be valid + + if [ -n "${PERL}" ] ; then + + CERT_END_DATE=$($OPENSSL x509 -in ${CERT} -noout -enddate \| sed -e "s/.=//") + + DAYS_VALID=$( perl - "${CERT_END_DATE}" <<-"EOF" + +use strict; +use warnings; + +use Date::Parse; + +my $cert_date = str2time( $ARGV[0] ); + +my $days = int (( $cert_date - time ) / 86400 + 0.5); + +print "$days\n"; + +EOF - if echo $CA_CN \| grep -q "^$ISSUER$" ; then - ok='true' - CA_ISSUER_MATCHED="${CA_CN}" + ) + + if [ -n "${VERBOSE}" ] ; then + if [ ${DAYS_VALID} -ge 0 ] ; then + echo "The certificate will expire in ${DAYS_VALID} day(s)" + else + echo "The certificate expired "$((- DAYS_VALID))" day(s) ago" + fi + + fi + + PERFORMANCE_DATA="\|days=$DAYS_VALID;${WARNING};${CRITICAL};;" + fi - - if echo $CA_O \| grep -q "^$ISSUER$" ; then - ok='true' - CA_ISSUER_MATCHED="${CA_O}" + + + + ################################################################################ + # check the CN (this will not work as expected with wildcard certificates) + + if [ -n "$COMMON_NAME" ] ; then + + ok='' + + case $COMMON_NAME in + $CN) ok='true' ;; + esac + + # check alterante names + if [ -n "${ALTNAMES}" ] ; then + for alt_name in $( $OPENSSL x509 -in ${CERT} -text \| \ + grep --after-context=1 '509v3 Subject Alternative Name:' \| \ + tail -n 1 \| sed -e "s/DNS://g" \| sed -e "s/,//g" ) ; do + case $COMMON_NAME in + $alt_name) ok='true' ;; + esac + done + fi + + if [ -z "$ok" ] ; then + critical "invalid CN ('$CN' does not match '$COMMON_NAME')" + fi + fi - - if [ -z "$ok" ] ; then - critical "invalid CA ('$ISSUER' does not match '$CA_O' or '$CA_CN')" + + ################################################################################ + # check the issuer + + if [ -n "$ISSUER" ] ; then + + ok='' + CA_ISSUER_MATCHED='' + + if echo $CA_CN \| grep -q "^$ISSUER$" ; then + ok='true' + CA_ISSUER_MATCHED="${CA_CN}" + fi + + if echo $CA_O \| grep -q "^$ISSUER$" ; then + ok='true' + CA_ISSUER_MATCHED="${CA_O}" + fi + + if [ -z "$ok" ] ; then + critical "invalid CA ('$ISSUER' does not match '$CA_O' or '$CA_CN')" + fi + + else + + CA_ISSUER_MATCHED="${CA_CN}" + fi -else - - CA_ISSUER_MATCHED="${CA_CN}" - -fi - -################################################################################ -# check the validity - -# we always check expired certificates -if ! $OPENSSL x509 -in ${CERT} -noout -checkend 0 ; then - critical "certificate is expired (was valid until $DATE)" -fi - -if [ -n "${CRITICAL}" ] ; then - - if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${CRITICAL} * 86400 )) ; then - critical "certificate will expire on $DATE" + ################################################################################ + # check the validity + + # we always check expired certificates + if ! $OPENSSL x509 -in ${CERT} -noout -checkend 0 ; then + critical "certificate is expired (was valid until $DATE)" fi - -fi - -if [ -n "${WARNING}" ] ; then - - if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${WARNING} * 86400 )) ; then - warning "certificate will expire on $DATE" + + if [ -n "${CRITICAL}" ] ; then + + if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${CRITICAL} * 86400 )) ; then + critical "certificate will expire on $DATE" + fi + fi - -fi - -################################################################################ -# check the organization - -if [ -n "$ORGANIZATION" ] ; then - - ORG=$($OPENSSL x509 -in ${CERT} -subject -noout \| sed -e "s/.\/O=//" -e "s/\/.//") - - if ! echo $ORG \| grep -q "^$ORGANIZATION" ; then - critical "invalid organization ('$ORGANIZATION' does not match '$ORG')" + + if [ -n "${WARNING}" ] ; then + + if ! $OPENSSL x509 -in ${CERT} -noout -checkend $(( ${WARNING} * 86400 )) ; then + warning "certificate will expire on $DATE" + fi + fi - -fi - -################################################################################ -# check the organization - -if [ -n "$ADDR" ] ; then - - EMAIL=$($OPENSSL x509 -in ${CERT} -email -noout) - - if [ -n "${VERBOSE}" ] ; then - echo "checking email (${ADDR}): ${EMAIL}" + + ################################################################################ + # check the organization + + if [ -n "$ORGANIZATION" ] ; then + + ORG=$($OPENSSL x509 -in ${CERT} -subject -noout \| sed -e "s/.\/O=//" -e "s/\/.//") + + if ! echo $ORG \| grep -q "^$ORGANIZATION" ; then + critical "invalid organization ('$ORGANIZATION' does not match '$ORG')" + fi + fi - - if [ -z "${EMAIL}" ] ; then - critical "the certficate does not contain an email address" + + ################################################################################ + # check the organization + + if [ -n "$ADDR" ] ; then + + EMAIL=$($OPENSSL x509 -in ${CERT} -email -noout) + + if [ -n "${VERBOSE}" ] ; then + echo "checking email (${ADDR}): ${EMAIL}" + fi + + if [ -z "${EMAIL}" ] ; then + critical "the certficate does not contain an email address" + fi + + if ! echo $EMAIL \| grep -q "^$ADDR" ; then + critical "invalid email ($ADDR does not match $EMAIL)" + fi + fi - - if ! echo $EMAIL \| grep -q "^$ADDR" ; then - critical "invalid email ($ADDR does not match $EMAIL)" + + ################################################################################ + # Check if the certificate was verified + + if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then + + if grep -q '^verify\ error:num=[0-9][0-9]:self\ signed\ certificate' ${ERROR} ; then + + if [ -z "${SELFSIGNED}" ] ; then + critical "Cannot verify certificate\nself signed certificate" + else + SELFSIGNEDCERT="self signed " + fi + + else + + # process errors + details=$(grep '^verify\ error:' ${ERROR} \| sed -e "s/verify\ error:num=[0-9]:/verification error: /" ) + + critical "Cannot verify certificate\n${details}" + + fi + fi - -fi - -################################################################################ -# Check if the certificate was verified - -if [ -z "${NOAUTH}" ] && grep -q '^verify\ error:' ${ERROR} ; then - - if grep -q '^verify\ error:num=[0-9][0-9]:self\ signed\ certificate' ${ERROR} ; then - - if [ -z "${SELFSIGNED}" ] ; then - critical "Cannot verify certificate\nself signed certificate" + + ################################################################################ + # If we get this far, assume all is well. :) + + # if --altnames was specified we show the specified CN instead of + # the certificate CN + if [ -n "${ALTNAMES}" -a -n "${COMMON_NAME}" ] ; then + CN=${COMMON_NAME} + fi + + if [ -n "${DAYS_VALID}" ] ; then + # nicer formatting + if [ ${DAYS_VALID} -gt 1 ] ; then + DAYS_VALID=" (expires in ${DAYS_VALID} days)" + elif [ ${DAYS_VALID} -eq 1 ] ; then + DAYS_VALID=" (expires tomorrow)" + elif [ ${DAYS_VALID} -eq 0 ] ; then + DAYS_VALID=" (expires today)" + elif [ ${DAYS_VALID} -eq -1 ] ; then + DAYS_VALID=" (expired yesterday)" else - SELFSIGNEDCERT="self signed " + DAYS_VALID=" (expired ${DAYS_VALID} days ago)" fi - - else - - # process errors - details=$(grep '^verify\ error:' ${ERROR} \| sed -e "s/verify\ error:num=[0-9]:/verification error: /" ) - - critical "Cannot verify certificate\n${details}" - fi + echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '${CN}' from '${CA_ISSUER_MATCHED}' valid until ${DATE}${DAYS_VALID}${PERFORMANCE_DATA}${LONG_OUTPUT}" + + exit 0 + +} + +if [ "${1}" != "--source-only" ]; then + main "${@}" fi - -################################################################################ -# If we get this far, assume all is well. :) - -# if --altnames was specified we show the specified CN instead of -# the certificate CN -if [ -n "${ALTNAMES}" -a -n "${COMMON_NAME}" ] ; then - CN=${COMMON_NAME} -fi - -if [ -n "${DAYS_VALID}" ] ; then - # nicer formatting - if [ ${DAYS_VALID} -gt 1 ] ; then - DAYS_VALID=" (expires in ${DAYS_VALID} days)" - elif [ ${DAYS_VALID} -eq 1 ] ; then - DAYS_VALID=" (expires tomorrow)" - elif [ ${DAYS_VALID} -eq 0 ] ; then - DAYS_VALID=" (expires today)" - elif [ ${DAYS_VALID} -eq -1 ] ; then - DAYS_VALID=" (expired yesterday)" - else - DAYS_VALID=" (expired ${DAYS_VALID} days ago)" - fi -fi - -echo "${SHORTNAME} OK - X.509 ${SELFSIGNEDCERT}certificate for '${CN}' from '${CA_ISSUER_MATCHED}' valid until ${DATE}${DAYS_VALID}${PERFORMANCE_DATA}${LONG_OUTPUT}" - -exit 0
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/check_ssl_cert.1 ^
@@ -1,7 +1,7 @@ .\" Process this file with .\" groff -man -Tascii foo.1 .\" -.TH "check_ssl_cert" 1 "July, 2012" "1.14.3" "USER COMMANDS" +.TH "check_ssl_cert" 1 "July, 2012" "1.14.4" "USER COMMANDS" .SH NAME check_ssl_cert \- checks the validity of X.509 certificates .SH SYNOPSIS
[-] [+]	Changed	check_ssl_cert-1.14.4.tar.bz2/check_ssl_cert.spec ^
@@ -6,7 +6,7 @@ # $Date: 2010-02-16 21:06:11 +0100 (Tue, 16 Feb 2010) $ ################################################################################ -%define version 1.14.3 +%define version 1.14.4 %define release 0 %define sourcename check_ssl_cert %define packagename nagios-plugins-check_ssl_cert @@ -53,6 +53,9 @@ %{_mandir}/man1/%{sourcename}.1* %changelog +* Fri Dec 7 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.14.4-0 +- Updated to 1.14.4 (bug fix release) + * Wed Sep 19 2012 Matteo Corti <matteo.corti@id.ethz.ch> - 1.14.3-0 - Updated to 1.14.3

Changes of Revision 27