# HG changeset patch # User pesch # Date 1466768679 -7200 # Node ID b0dce1770a15eb0ee5aa157e46b9c3e630bf2dbd # Parent 0f95ea2ef8832c5fab31ed4af7cc62e54b287a8f add cert expiry diff -r 0f95ea2ef883 -r b0dce1770a15 bin/check_tlsa-record --- a/bin/check_tlsa-record Fri Jun 24 11:55:05 2016 +0200 +++ b/bin/check_tlsa-record Fri Jun 24 13:44:39 2016 +0200 @@ -126,9 +126,8 @@ $protocol = 'tcp'; } - my $return = - Nagios::Check::DNS::check_tlsa_record::main(($domain, $port, $protocol)); - say $return; + say main(($domain, $port, $protocol,$expiry)); + exit 0; } @@ -142,9 +141,7 @@ if ("$+{port}" =~ /^\s*$/) { $port = '443'; } else { $port = $+{port}; } - my $return = - Nagios::Check::DNS::check_tlsa_record::main(($domain, $port)); - say $return; + say main(($domain, $port, $protocol,$expiry)); } else { die "$domainlist has wrong or malformed content\n"; @@ -153,4 +150,20 @@ } } +sub main { + my $domain = shift; + my $port = shift // 443; + my $protocoll = shift // 'tcp'; + my $expiry = shift; + + if ($expiry) { + return Nagios::Check::DNS::check_tlsa_record::main( + $domain, $port, $protocoll, $expiry); + } + + return Nagios::Check::DNS::check_tlsa_record::main( + $domain, $port, $protocoll); + +} + # vim: ft=perl ts=2 sw=2 diff -r 0f95ea2ef883 -r b0dce1770a15 lib/Nagios/Check/DNS/check_tlsa_record.pm --- a/lib/Nagios/Check/DNS/check_tlsa_record.pm Fri Jun 24 11:55:05 2016 +0200 +++ b/lib/Nagios/Check/DNS/check_tlsa_record.pm Fri Jun 24 13:44:39 2016 +0200 @@ -16,7 +16,6 @@ my $dane_pattern = qr'(?i)^(?(?\d+)\s+(?\d+) \s+(?\d+)\s+(?[0-9a-f ]+))$'xs; -#qr'(?i)^(?(?\d+)\s+(?\d+)\s+(?\d+)\s+(?[0-9a-f ]+))$'; # Alternativly my $tmpfile = File::Temp->new(); # unlink($tmpfile); @@ -35,9 +34,13 @@ my $domain = shift; my $port = shift // 443; my $protocol = shift // 'tcp'; - my @validate = validate_tlsa($domain, $port, $protocol); + my $expiry = shift; + + my @validate = validate_tlsa($domain, $port, $protocol, $expiry); + return join("\n", @validate); + } sub get_tlsa_from_dns { @@ -105,9 +108,10 @@ } sub check_expiry { - my $cert = shift; - my $check_expiry = "openssl x509 -in $cert -noout -startdate -enddate"; + my $check_expiry = "openssl x509 -in $fdname -noout -startdate -enddate"; my $expiry = qx($check_expiry); + $expiry =~ tr/\n/ /d; + chomp $expiry; return $expiry; } @@ -203,6 +207,7 @@ my $domain = shift; my $port = shift; my $protocol = shift; + my $expiry = shift; my @dns_return = get_tlsa_from_dns($domain, $port, $protocol); my $fail_selector = 0; my $fail_usage = 0; @@ -222,6 +227,7 @@ return "WARNING: No SSL-Certificate available for $domain:$port"; } + foreach my $item (@dns_return) { my %domain = ( @@ -234,7 +240,7 @@ my $tlsa_usage = $domain{'tlsa_usage'}; my $tlsa_selector = $domain{'tlsa_selector'}; my $tlsa_match_type = $domain{'tlsa_match_type'}; - my $dns_tlsa_hash = $domain{'tlsa_dns'}; + my $dns_tlsa_hash = $domain{'tlsa_dns'}; my $cert_tlsa_hash; if ($tlsa_selector < 0 or $tlsa_selector > 1) { @@ -279,6 +285,12 @@ } + if ($expiry) { + my $ex = check_expiry(); + #push @return, "Cert $domain:$port valid: $ex"; + push @return, $ex; + } + return @return; }