--- a/check_cert.pl Thu Jun 18 08:28:39 2009 +0000
+++ b/check_cert.pl Mon Mar 23 15:54:43 2015 +0000
@@ -1,6 +1,4 @@
#!/usr/bin/perl -w
-# $Id$
-# $URL$
use strict;
use warnings;
@@ -15,9 +13,9 @@
sub print_usage();
my $ME = basename $0;
-my ($opt_w, $opt_c, $opt_V, $opt_h, $opt_b, $opt_s, @opt_certfiles);
-my ($w_time, $c_time, $result, $message, %certs);
-my (@critical, @warning);
+my ( $opt_w, $opt_c, $opt_V, $opt_h, $opt_b, $opt_s, @opt_certfiles );
+my ( $w_time, $c_time, $result, $message, %certs );
+my ( @critical, @warning, @ok );
$opt_w = "1month";
$opt_c = "1week";
@@ -26,16 +24,24 @@
Getopt::Long::Configure('bundling');
GetOptions(
- "V" => \$opt_V, "version" => \$opt_V,
- "h" => \$opt_h, "help" => \$opt_h,
- "b=s" => \$opt_b, "binary" => \$opt_b,
- "w=s" => \$opt_w, "warning=s" => \$opt_w,
- "c=s" => \$opt_c, "critical=s" => \$opt_c,
- "s=s" => \$opt_s, "signature=s" => \$opt_s,
- "f=s" => \@opt_certfiles, "certfile=s" => \@opt_certfiles);
+ "V" => \$opt_V,
+ "version" => \$opt_V,
+ "h" => \$opt_h,
+ "help" => \$opt_h,
+ "b=s" => \$opt_b,
+ "binary" => \$opt_b,
+ "w=s" => \$opt_w,
+ "warning=s" => \$opt_w,
+ "c=s" => \$opt_c,
+ "critical=s" => \$opt_c,
+ "s=s" => \$opt_s,
+ "signature=s" => \$opt_s,
+ "f=s" => \@opt_certfiles,
+ "certfile=s" => \@opt_certfiles
+);
if ($opt_V) {
- print_revision($ME, "0.3");
+ print_revision( $ME, "1.2" );
exit $ERRORS{"OK"};
}
@@ -45,100 +51,136 @@
}
# check openssl binary
-unless (-x $opt_b) {
+unless ( -x $opt_b ) {
print "CERT CRITICAL: OpenSSL not found or not executable - $opt_b\n";
exit $ERRORS{"CRITICAL"};
}
-unless(@opt_certfiles) {
+unless (@opt_certfiles) {
print "CERT WARNING: Not defined any certificate files\n";
exit $ERRORS{"WARNING"};
}
-@opt_certfiles = split(/,/, join(',', @opt_certfiles));
+@opt_certfiles = split( /,/, join( ',', @opt_certfiles ) );
# extract certificate data
foreach my $file (@opt_certfiles) {
- unless (-r $file) {
- print "CERT CRITICAL: $file - not exists or not read permission is granted\n";
- exit $ERRORS{"CRITICAL"};
+ unless ( -r $file ) {
+ print
+"CERT CRITICAL: $file - not exists or not read permission is granted\n";
+ exit $ERRORS{"CRITICAL"};
}
- my $no_print = "no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
- my @cmd_x509 = ($opt_b, "x509", "-in", $file, "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate");
- my @cmd_pkcs12 = ($opt_b, "pkcs12", "-in", $file, "-clcerts", "-nokeys", "-nomacver", "-passin", "pass:");
- my @cmd_pipe = ($opt_b, "x509", "-noout", "-text", "-certopt", $no_print, "-subject", "-enddate");
- my ($temp, $sig, $cn, $enddate, $rc);
- open(CERT, "-|") or do {
- open(STDERR, ">&STDOUT");
- exec(@cmd_x509);
+ my $no_print =
+"no_header,no_version,no_serial,no_validity,no_subject,no_issuer,no_pubkey,no_sigdump,no_extensions";
+ my @cmd_x509 = (
+ $opt_b, "x509", "-in", $file,
+ "-noout", "-text", "-certopt", $no_print,
+ "-subject", "-enddate", "-purpose"
+ );
+ my @cmd_pkcs12 = (
+ $opt_b, "pkcs12", "-in", $file,
+ "-clcerts", "-nokeys", "-nomacver", "-passin",
+ "pass:"
+ );
+ my @cmd_pipe = (
+ $opt_b, "x509", "-noout", "-text",
+ "-certopt", $no_print, "-subject", "-enddate",
+ "-purpose"
+ );
+ my ( $temp, $sig, $cn, $enddate, $rc, $cert_type );
+ open( CERT, "-|" ) or do {
+ open( STDERR, ">&STDOUT" );
+ exec(@cmd_x509);
};
# check x509 certificates
- while(<CERT>) {
- /unable to load certificate/ and $rc = 1 and last;
- /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
- /^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
- /^notAfter=(.*)\s+$/ and $enddate = $1;
+ while (<CERT>) {
+ /unable to load certificate/ and $rc = 1 and last;
+ /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
+ /^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
+ /^notAfter=(.*)\s+$/ and $enddate = $1;
+ /^(SSL\sclient)\s:\sYes$/ and $cert_type = $1;
+ /^(SSL\sserver)\s:\sYes$/ and $cert_type = $1;
}
close(CERT);
# check pkcs12 certificates
if ($rc) {
- open(PKCS12, "@cmd_pkcs12 |");
+ open( PKCS12, "@cmd_pkcs12 |" );
- while(<PKCS12>) {
- $temp .= $_;
- }
- close(PKCS12);
+ while (<PKCS12>) {
+ $temp .= $_;
+ }
+ close(PKCS12);
+
+ local ( *READ, *WRITE );
+ open2( \*READ, \*WRITE, @cmd_pipe ) or die "Can't fork: $!\n";
+ print WRITE $temp;
+ close(WRITE);
- local (*READ, *WRITE);
- open2(\*READ, \*WRITE, @cmd_pipe) or die "Can't fork: $!\n";
- print WRITE $temp;
- close(WRITE);
+ while (<READ>) {
+ /unable to load certificate/
+ and print "CERT CRITICAL: unable to load certificate\n"
+ and exit $ERRORS{"CRITICAL"};
+ /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
+ /^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
+ /^notAfter=(.*)\s+$/ and $enddate = $1;
+ /^(SSL\sclient)\s:\sYes$/ and $cert_type = $1;
+ /^(SSL\sserver)\s:\sYes$/ and $cert_type = $1;
+ }
+ close(READ);
+ }
- while(<READ>) {
- /unable to load certificate/ and print "CERT CRITICAL: unable to load certificate\n" and exit $ERRORS{"CRITICAL"};
- /Signature\sAlgorithm:\s($opt_s)\s+$/ and $sig = $1;
- /^subject=\s.*CN=(.*)\s+$/ and $cn = $1;
- /^notAfter=(.*)\s+$/ and $enddate = $1;
- }
- close(READ);
- }
# fill the hash
- push ( @{$certs{$file}}, ($cn, $enddate, $sig) );
+ push( @{ $certs{$file} }, ( $cn, $enddate, $sig, $cert_type ) );
}
# calculate the time
-$w_time = DateCalc("today", "+ $opt_w");
-$c_time = DateCalc("today", "+ $opt_c");
+$w_time = DateCalc( "today", "+ $opt_w" );
+$c_time = DateCalc( "today", "+ $opt_c" );
# check expire date
-foreach (sort keys %certs) {
+foreach ( sort keys %certs ) {
my $enddate;
- if (@{$certs{$_}}[1] =~ /(\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)/) { $enddate = $1; }
+ if ( @{ $certs{$_} }[1] =~ /(\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)/ ) {
+ $enddate = $1;
+ }
$enddate = ParseDate($enddate);
unless ($enddate) {
- print "CERT CRITICAL: Can't parse enddate\n";
- exit $ERRORS{"CRITICAL"};
+ print "CERT CRITICAL: Can't parse enddate\n";
+ exit $ERRORS{"CRITICAL"};
}
- &Date_Cmp($enddate, $w_time) > 0 and push (@{$certs{$_}}, "OK"), next;
- &Date_Cmp($enddate, $c_time) > 0 and push (@{$certs{$_}}, "WARNING"), next;
- push (@{$certs{$_}}, "CRITICAL");
+ &Date_Cmp( $enddate, $w_time ) > 0 and push( @{ $certs{$_} }, "OK" ), next;
+ &Date_Cmp( $enddate, $c_time ) > 0
+ and push( @{ $certs{$_} }, "WARNING" ), next;
+ push( @{ $certs{$_} }, "CRITICAL" );
}
# looking for stats
-foreach (sort keys %certs) {
- if (@{$certs{$_}}[2]) {
- if (@{$certs{$_}}[2] eq "$opt_s") {
- push (@warning, "file: $_, CN=@{$certs{$_}}[0] Signature Algorithm: @{$certs{$_}}[2]");
+foreach ( sort keys %certs ) {
+ if ( @{ $certs{$_} }[2] ) {
+ if ( @{ $certs{$_} }[2] eq "$opt_s" ) {
+ push( @warning,
+"file: $_, CN=@{$certs{$_}}[0] Signature Algorithm: @{$certs{$_}}[2]"
+ );
}
}
- if (@{$certs{$_}}[3] eq "WARNING") {
- push (@warning, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
- } elsif (@{$certs{$_}}[3] eq "CRITICAL") {
- push (@critical, "file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1]");
+ if ( @{ $certs{$_} }[4] eq "WARNING" ) {
+ push( @warning,
+"file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1] type: @{$certs{$_}}[3]"
+ );
+ }
+ elsif ( @{ $certs{$_} }[4] eq "CRITICAL" ) {
+ push( @critical,
+"file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1] type: @{$certs{$_}}[3]"
+ );
+ }
+ else {
+ push( @ok,
+"file: $_, CN=@{$certs{$_}}[0] expires @{$certs{$_}}[1] type: @{$certs{$_}}[3]"
+ );
}
}
@@ -146,39 +188,48 @@
if (@critical) {
print "CERT CRITICAL: @critical\n";
exit $ERRORS{"CRITICAL"};
-} elsif (@warning) {
+}
+elsif (@warning) {
print "CERT WARNING: @warning\n";
exit $ERRORS{"WARNING"};
-} else {
- print "CERT OK: all certificates in limit\n";
+}
+else {
+ print "CERT OK: @ok\n";
exit $ERRORS{"OK"};
}
sub print_usage() {
print "Usage:\n";
- print " $ME [-b <binary>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-f <file,file,file,...>]\n";
+ print
+" $ME [-b <binary>] [-w <time>] [-c <time>] [-s <signature algorithm>] [-f <file,file,file,...>]\n";
print " $ME [-h | --help]\n";
print " $ME [-V | --version]\n";
}
sub print_help() {
- print_revision($ME, "0.1");
- print "Copyright (c) 2008 Christian Arnold\n\n";
+ print_revision( $ME, "1.2" );
+ print "Copyright (c) 2010 Christian Arnold\n\n";
print "This plugin checks the expire date for openssl certificates.\n\n";
print_usage();
print "\n";
print " -b, --binary <binary>\n";
print " Path of openssl binary (default: /usr/bin/openssl)\n";
print " -w, --warning <time>\n";
- print " Certificat should not be more than this time older (default: 1month)\n";
- print " For time can be used year, month, day, hour, minute, second and weeks.\n";
+ print
+" Certificat should not be more than this time older (default: 1month)\n";
+ print
+" For time can be used year, month, day, hour, minute, second and weeks.\n";
print " -c, --critical <time>\n";
- print " Certificat should not be more than this time older (default: 1week)\n";
- print " For time can be used year, month, day, hour, minute, second and weeks.\n";
+ print
+" Certificat should not be more than this time older (default: 1week)\n";
+ print
+" For time can be used year, month, day, hour, minute, second and weeks.\n";
print " -s, --signature <signature algorithm>\n";
- print " Return WARNING status if <signature algorithm> is used (default: md5WithRSAEncryption).\n";
+ print
+" Return WARNING status if <signature algorithm> is used (default: md5WithRSAEncryption).\n";
print " -f, --certfile <file,file,file, ...>\n";
- print " Absolute path of x509 or pkcs12 openssl certificate files, use comma-separated lists for multiple files.\n";
+ print
+" Absolute path of x509 or pkcs12 openssl certificate files, use comma-separated lists for multiple files.\n";
print " -h, --help\n";
print " Print detailed help screen\n";
print " -V, --version\n";
@@ -187,7 +238,6 @@
support();
}
-
exit;
# vim:sts=4 sw=4 aw ai sm: