summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore2
-rw-r--r--Makefile8
-rwxr-xr-xcrypt-expiry-check.in61
-rw-r--r--crypt-expiry-check.service.in6
-rw-r--r--crypt-expiry-check.timer.in11
5 files changed, 83 insertions, 5 deletions
diff --git a/.gitignore b/.gitignore
index 9ab43ca..d8cdcc8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@ crypt-expiry-check.cron
man.commons
*.common
*.1
+crypt-expiry-check.service
+crypt-expiry-check.timer
diff --git a/Makefile b/Makefile
index f56bac7..11248f8 100644
--- a/Makefile
+++ b/Makefile
@@ -24,10 +24,11 @@ ETCDIR = /etc
CRONDIR = /etc/cron.daily
BINDIR = /usr/bin
MANDIR = /usr/share/man
+SYSTEMDDIR = /usr/lib/systemd/system
-VERSION = 4.0.12
+VERSION = 4.3.3
-all: man.commons crypt-expiry-check crypt-expiry-check.cron crypt-expiry-check.1
+all: man.commons crypt-expiry-check crypt-expiry-check.cron crypt-expiry-check.1 crypt-expiry-check.service crypt-expiry-check.timer
%: %.in
sed "s/#VERSION#/$(VERSION)/; s@#CRONDIR#@$(CRONDIR)@; s@#BINDIR#@$(BINDIR)@; s@#ETCDIR#@$(ETCDIR)@" $< > $@
@@ -43,7 +44,8 @@ all: man.commons crypt-expiry-check crypt-expiry-check.cron crypt-expiry-check.1
.PHONY: install dist clean
install: all
- install -D -m0755 crypt-expiry-check.cron $(DESTDIR)$(CRONDIR)/crypt-expiry-check
+ [ -z "$(CRONDIR)" ] || install -D -m0755 crypt-expiry-check.cron $(DESTDIR)$(CRONDIR)/crypt-expiry-check
+ [ -z "$(SYSTEMDDIR)" ] || install -D -m0644 -t $(DESTDIR)$(SYSTEMDDIR) crypt-expiry-check.service crypt-expiry-check.timer
install -D -m0755 -t $(DESTDIR)$(BINDIR) crypt-expiry-check
install -D -m0644 -t $(DESTDIR)$(MANDIR)/man1 crypt-expiry-check.1
install -D -m0644 -t $(DESTDIR)$(ETCDIR) crypt-expiry.checks
diff --git a/crypt-expiry-check.in b/crypt-expiry-check.in
index 3846d7f..5734051 100755
--- a/crypt-expiry-check.in
+++ b/crypt-expiry-check.in
@@ -208,6 +208,7 @@ usage()
>&2 echo " -i Print the issuer of the certificate"
>&2 echo " -k password PKCS12 file password"
>&2 echo " -n Run as a Nagios plugin"
+ >&2 echo " -N directory Check nginx certificates in directory's config files."
>&2 echo " -q Don't print anything on the console"
>&2 echo " -s commmon_name:port Server and Port to connect to (interactive mode)"
>&2 echo " -t type Specify the certificate type"
@@ -330,6 +331,50 @@ check_remote_file_status() {
}
#####################################################
+### Check the expiration status of nginx certificates
+### Accepts one parameter:
+### $1 -> directory to nginx configurations
+#####################################################
+
+check_nginx_configuration() {
+ CONFIGDIR=${1}
+ FWARNDAYS=${2:-${WARNDAYS}}
+
+ while read -r line; do
+ {
+ read -r _ HOST _
+ read -r _ FILE
+ } < <(
+ printf '%s\n' "${line}" \
+ | sed '
+ s/[;{}]/\0\n/g
+ ' \
+ | sed -n '
+ /^\(server_name\|ssl_certificate\)\s/p
+ ' \
+ | sort \
+ | sed '
+ s/;$//
+ '
+ )
+ check_file_status "${FILE}" 'NGINX' "${HOST// /, }" "${WARNDAYS}"
+ done < <(
+ find "${CONFIGDIR}" \
+ \( -type f -o -type l \) \
+ -exec sed '
+ s/#.*$//
+ s/^\s*//
+ s/\s*$//
+ ' {} \; \
+ | tr -d '\n' \
+ | sed '
+ s/}server\s*{/\n\0/g
+ ' \
+ | grep -wF 'ssl_certificate'
+ )
+}
+
+#####################################################
### Check the expiration status of a certificate file
### Accepts three parameters:
### $1 -> certificate file to process
@@ -487,7 +532,7 @@ check_gpg_key_status() {
#################################
### Start of main program
#################################
-while getopts abc:e:f:g:G:hik:nqr:s:t:x:v:VZ option
+while getopts abc:e:f:g:G:hik:nN:qr:s:t:x:v:VZ option
do
case "${option}"
in
@@ -523,6 +568,9 @@ do
n)
NAGIOS=true
;;
+ N)
+ NGINXDIRS[${#NGINXDIRS[@]}]=${OPTARG}
+ ;;
q)
QUIET=true
;;
@@ -629,7 +677,7 @@ else
exit 1
fi
-if [ $[${#HOSTS[@]} + ${#SERVERFILES[@]} + ${#CERTFILES[@]} + ${#REMOTECERTFILES[@]} + ${#CHECKADDRESSES[@]}] -eq 0 ]
+if [ $[${#HOSTS[@]} + ${#SERVERFILES[@]} + ${#CERTFILES[@]} + ${#REMOTECERTFILES[@]} + ${#CHECKADDRESSES[@]} + ${#NGINXDIRS[@]}] -eq 0 ]
then
>&2 echo "ERROR: Nothing to check."
usage
@@ -643,6 +691,12 @@ do
check_server_status "${HOSTS[${i}]}" "${PORTS[${i}]}"
done
+for (( i=0; i<${#NGINXDIRS[@]}; i++ ))
+do
+ check_nginx_configuration "${NGINXDIRS[@]}"
+# check_file_status "${HOST}" "FILE" "${HOST}" "${FWARNDAYS}"
+done
+
for (( i=0; i<${#SERVERFILES[@]}; i++ ))
do
while read FWARNDAYS PORT HOST
@@ -653,6 +707,9 @@ do
elif [ "${PORT}" = "REMOTEFILE" ]
then
check_remote_file_status "${HOST}" "REMOTEFILE" "${HOST}" "${FWARNDAYS}"
+ elif [ "${PORT}" = "NGINX" ]
+ then
+ check_nginx_configuration "${HOST}" "${FWARNDAYS}"
elif [ "${PORT}" = "GPG" ]
then
check_gpg_key_status "${GPG}" "${HOST}" "${FWARNDAYS}"
diff --git a/crypt-expiry-check.service.in b/crypt-expiry-check.service.in
new file mode 100644
index 0000000..18e320d
--- /dev/null
+++ b/crypt-expiry-check.service.in
@@ -0,0 +1,6 @@
+[Unit]
+Description=check expiry of surveilled keys/certificates
+
+[Service]
+Environment=MAILTO=me@example.com
+ExecStart=#BINDIR#/crypt-expiry-check -qa -e $MAILTO -f #ETCDIR#/crypt-expiry.checks
diff --git a/crypt-expiry-check.timer.in b/crypt-expiry-check.timer.in
new file mode 100644
index 0000000..e153ba5
--- /dev/null
+++ b/crypt-expiry-check.timer.in
@@ -0,0 +1,11 @@
+[Unit]
+Description=check expiry of surveilled keys/certificates twice a day
+
+[Timer]
+AccuracySec=1us
+OnBootSec=15min
+OnUnitActiveSec=12h
+RandomizedDelaySec=1h
+
+[Install]
+WantedBy=timers.target