diff options
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | Makefile | 8 | ||||
| -rwxr-xr-x | crypt-expiry-check.in | 61 | ||||
| -rw-r--r-- | crypt-expiry-check.service.in | 6 | ||||
| -rw-r--r-- | crypt-expiry-check.timer.in | 11 |
5 files changed, 83 insertions, 5 deletions
@@ -3,3 +3,5 @@ crypt-expiry-check.cron man.commons *.common *.1 +crypt-expiry-check.service +crypt-expiry-check.timer @@ -24,10 +24,11 @@ ETCDIR = /etc CRONDIR = /etc/cron.daily BINDIR = /usr/bin MANDIR = /usr/share/man +SYSTEMDDIR = /usr/lib/systemd/system -VERSION = 4.0.12 +VERSION = 4.3.3 -all: man.commons crypt-expiry-check crypt-expiry-check.cron crypt-expiry-check.1 +all: man.commons crypt-expiry-check crypt-expiry-check.cron crypt-expiry-check.1 crypt-expiry-check.service crypt-expiry-check.timer %: %.in sed "s/#VERSION#/$(VERSION)/; s@#CRONDIR#@$(CRONDIR)@; s@#BINDIR#@$(BINDIR)@; s@#ETCDIR#@$(ETCDIR)@" $< > $@ @@ -43,7 +44,8 @@ all: man.commons crypt-expiry-check crypt-expiry-check.cron crypt-expiry-check.1 .PHONY: install dist clean install: all - install -D -m0755 crypt-expiry-check.cron $(DESTDIR)$(CRONDIR)/crypt-expiry-check + [ -z "$(CRONDIR)" ] || install -D -m0755 crypt-expiry-check.cron $(DESTDIR)$(CRONDIR)/crypt-expiry-check + [ -z "$(SYSTEMDDIR)" ] || install -D -m0644 -t $(DESTDIR)$(SYSTEMDDIR) crypt-expiry-check.service crypt-expiry-check.timer install -D -m0755 -t $(DESTDIR)$(BINDIR) crypt-expiry-check install -D -m0644 -t $(DESTDIR)$(MANDIR)/man1 crypt-expiry-check.1 install -D -m0644 -t $(DESTDIR)$(ETCDIR) crypt-expiry.checks diff --git a/crypt-expiry-check.in b/crypt-expiry-check.in index 3846d7f..5734051 100755 --- a/crypt-expiry-check.in +++ b/crypt-expiry-check.in @@ -208,6 +208,7 @@ usage() >&2 echo " -i Print the issuer of the certificate" >&2 echo " -k password PKCS12 file password" >&2 echo " -n Run as a Nagios plugin" + >&2 echo " -N directory Check nginx certificates in directory's config files." >&2 echo " -q Don't print anything on the console" >&2 echo " -s commmon_name:port Server and Port to connect to (interactive mode)" >&2 echo " -t type Specify the certificate type" @@ -330,6 +331,50 @@ check_remote_file_status() { } ##################################################### +### Check the expiration status of nginx certificates +### Accepts one parameter: +### $1 -> directory to nginx configurations +##################################################### + +check_nginx_configuration() { + CONFIGDIR=${1} + FWARNDAYS=${2:-${WARNDAYS}} + + while read -r line; do + { + read -r _ HOST _ + read -r _ FILE + } < <( + printf '%s\n' "${line}" \ + | sed ' + s/[;{}]/\0\n/g + ' \ + | sed -n ' + /^\(server_name\|ssl_certificate\)\s/p + ' \ + | sort \ + | sed ' + s/;$// + ' + ) + check_file_status "${FILE}" 'NGINX' "${HOST// /, }" "${WARNDAYS}" + done < <( + find "${CONFIGDIR}" \ + \( -type f -o -type l \) \ + -exec sed ' + s/#.*$// + s/^\s*// + s/\s*$// + ' {} \; \ + | tr -d '\n' \ + | sed ' + s/}server\s*{/\n\0/g + ' \ + | grep -wF 'ssl_certificate' + ) +} + +##################################################### ### Check the expiration status of a certificate file ### Accepts three parameters: ### $1 -> certificate file to process @@ -487,7 +532,7 @@ check_gpg_key_status() { ################################# ### Start of main program ################################# -while getopts abc:e:f:g:G:hik:nqr:s:t:x:v:VZ option +while getopts abc:e:f:g:G:hik:nN:qr:s:t:x:v:VZ option do case "${option}" in @@ -523,6 +568,9 @@ do n) NAGIOS=true ;; + N) + NGINXDIRS[${#NGINXDIRS[@]}]=${OPTARG} + ;; q) QUIET=true ;; @@ -629,7 +677,7 @@ else exit 1 fi -if [ $[${#HOSTS[@]} + ${#SERVERFILES[@]} + ${#CERTFILES[@]} + ${#REMOTECERTFILES[@]} + ${#CHECKADDRESSES[@]}] -eq 0 ] +if [ $[${#HOSTS[@]} + ${#SERVERFILES[@]} + ${#CERTFILES[@]} + ${#REMOTECERTFILES[@]} + ${#CHECKADDRESSES[@]} + ${#NGINXDIRS[@]}] -eq 0 ] then >&2 echo "ERROR: Nothing to check." usage @@ -643,6 +691,12 @@ do check_server_status "${HOSTS[${i}]}" "${PORTS[${i}]}" done +for (( i=0; i<${#NGINXDIRS[@]}; i++ )) +do + check_nginx_configuration "${NGINXDIRS[@]}" +# check_file_status "${HOST}" "FILE" "${HOST}" "${FWARNDAYS}" +done + for (( i=0; i<${#SERVERFILES[@]}; i++ )) do while read FWARNDAYS PORT HOST @@ -653,6 +707,9 @@ do elif [ "${PORT}" = "REMOTEFILE" ] then check_remote_file_status "${HOST}" "REMOTEFILE" "${HOST}" "${FWARNDAYS}" + elif [ "${PORT}" = "NGINX" ] + then + check_nginx_configuration "${HOST}" "${FWARNDAYS}" elif [ "${PORT}" = "GPG" ] then check_gpg_key_status "${GPG}" "${HOST}" "${FWARNDAYS}" diff --git a/crypt-expiry-check.service.in b/crypt-expiry-check.service.in new file mode 100644 index 0000000..18e320d --- /dev/null +++ b/crypt-expiry-check.service.in @@ -0,0 +1,6 @@ +[Unit] +Description=check expiry of surveilled keys/certificates + +[Service] +Environment=MAILTO=me@example.com +ExecStart=#BINDIR#/crypt-expiry-check -qa -e $MAILTO -f #ETCDIR#/crypt-expiry.checks diff --git a/crypt-expiry-check.timer.in b/crypt-expiry-check.timer.in new file mode 100644 index 0000000..e153ba5 --- /dev/null +++ b/crypt-expiry-check.timer.in @@ -0,0 +1,11 @@ +[Unit] +Description=check expiry of surveilled keys/certificates twice a day + +[Timer] +AccuracySec=1us +OnBootSec=15min +OnUnitActiveSec=12h +RandomizedDelaySec=1h + +[Install] +WantedBy=timers.target |