|
|
@@ -0,0 +1,416 @@
|
|
|
+#! /usr/bin/perl
|
|
|
+# nagios: -epn
|
|
|
+
|
|
|
+# Complete (?) check for valid SSL certificate
|
|
|
+# Originally by Anders Nordby (anders@fupp.net), 2015-02-16
|
|
|
+# Copied with permission on 2019-09-26 (https://github.com/nagios-plugins/nagios-plugins/issues/72)
|
|
|
+# and modified to fit the needs of the nagios-plugins project.
|
|
|
+
|
|
|
+# Copyright: GPLv2
|
|
|
+
|
|
|
+# Checks all of the following:
|
|
|
+# Fetch SSL certificate from URL (on optional given host)
|
|
|
+# Does the certificate contain our hostname?
|
|
|
+# Has the certificate expired?
|
|
|
+# Download (and cache) CRL
|
|
|
+# Has the certificate been revoked?
|
|
|
+
|
|
|
+use Getopt::Std;
|
|
|
+use File::Temp qw(tempfile);
|
|
|
+use File::Basename;
|
|
|
+use Crypt::X509;
|
|
|
+use Date::Parse;
|
|
|
+use Date::Format qw(ctime);
|
|
|
+use POSIX qw(strftime);
|
|
|
+use Digest::MD5 qw(md5_hex);
|
|
|
+use LWP::Simple;
|
|
|
+use Text::Glob qw(match_glob);
|
|
|
+
|
|
|
+use Getopt::Long;
|
|
|
+Getopt::Long::Configure('bundling');
|
|
|
+GetOptions(
|
|
|
+ "h" => \$opt_h, "help" => \$opt_h,
|
|
|
+ "d" => \$opt_d, "debug" => \$opt_d,
|
|
|
+ "o" => \$opt_o, "ocsp" => \$opt_o,
|
|
|
+ "ocsp-host=s" => \$opt_ocsp_host,
|
|
|
+ "C=s" => \$opt_C, "crl-cache-frequency=s" => \$opt_C,
|
|
|
+ "I=s" => \$opt_I, "ip=s" => \$opt_I,
|
|
|
+ "p=i" => \$opt_p, "port=i" => \$opt_p,
|
|
|
+ "H=s" => \$opt_H, "cert-hostname=s" => \$opt_H,
|
|
|
+ "w=i" => \$opt_w, "warning=i" => \$opt_w,
|
|
|
+ "c=i" => \$opt_c, "critical=i" => \$opt_c,
|
|
|
+ "t" => \$opt_t, "timeout" => \$opt_t
|
|
|
+);
|
|
|
+
|
|
|
+my $chainfh, $chainfile, $escaped_tempfile, $ocsp_status;
|
|
|
+
|
|
|
+sub usage {
|
|
|
+ print "check_ssl_validity -H <cert hostname> [-I <IP/host>] [-p <port>]\n[-t <timeout>] [-w <expire warning (days)>] [-c <expire critical (dats)>]\n[-C (CRL update frequency in seconds)] [-d (debug)] [--ocsp] [--ocsp-host]\n";
|
|
|
+ print "\nWill look for hostname provided with -H in the certificate, but will contact\n";
|
|
|
+ print "server with host/IP provided by -I (optional)\n";
|
|
|
+ exit(1);
|
|
|
+}
|
|
|
+
|
|
|
+sub updatecrl {
|
|
|
+ my $url = shift;
|
|
|
+ my $fn = shift;
|
|
|
+
|
|
|
+ my $content = get($url);
|
|
|
+ if (defined($content)) {
|
|
|
+ if (open(CACHE, ">$cachefile")) {
|
|
|
+ print CACHE $content;
|
|
|
+ } else {
|
|
|
+ doexit(2, "Could not open file $fn for writing CRL temp file for cert on $host:$port.");
|
|
|
+ }
|
|
|
+ close(CACHE);
|
|
|
+ } else {
|
|
|
+ doexit(2, "Could not download CRL Distribution Point URL $url for cert on $hosttxt.");
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+sub ckserial {
|
|
|
+ return if ($crserial eq "");
|
|
|
+ if ($serial eq $crserial) {
|
|
|
+ if ($crrev ne "") {
|
|
|
+ $crrevtime = str2time($crrev);
|
|
|
+ $revtime = $crrevtime-$uxtime;
|
|
|
+ if ($revtime < 0) {
|
|
|
+ doexit(2, "Found certificate for $vhost on CRL $crldp revoked already at date $crrev");
|
|
|
+ } elsif (($revtime/86400) < $crit) {
|
|
|
+ doexit(2, "Found certificate for $vhost on CRL $crldp revoked at date $crrev, within critical time frame $crit");
|
|
|
+ } elsif (($revtime/86400) < $warn) {
|
|
|
+ doexit(1, "Found certificate for $vhost on CRL $crldp revoked at date $crrev, within warning time frame $warn");
|
|
|
+ }
|
|
|
+ }
|
|
|
+ doexit(1, "Found certificate for $vhost on CRL $crldp revoked $crrev. Time to check the revokation date");
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+usage unless ($opt_H);
|
|
|
+
|
|
|
+# Defaults
|
|
|
+if ($opt_p) {
|
|
|
+ $port = $opt_p;
|
|
|
+} else {
|
|
|
+ $port = 443;
|
|
|
+}
|
|
|
+
|
|
|
+if ($opt_t) {
|
|
|
+ $tmout = $opt_t;
|
|
|
+} else {
|
|
|
+ $tmout = 10;
|
|
|
+}
|
|
|
+
|
|
|
+if ($opt_C) {
|
|
|
+ $crlupdatefreq = $opt_C;
|
|
|
+} else {
|
|
|
+ $crlupdatefreq = 86400;
|
|
|
+}
|
|
|
+
|
|
|
+$vhost = $opt_H;
|
|
|
+if ($opt_I) {
|
|
|
+ $host = $opt_I;
|
|
|
+} else {
|
|
|
+ $host = $vhost;
|
|
|
+}
|
|
|
+$hosttxt = "$host:$port";
|
|
|
+
|
|
|
+if ($opt_w && $opt_w =~ /^\d+$/) {
|
|
|
+ $warn = $opt_w;
|
|
|
+} else {
|
|
|
+ $warn = 30;
|
|
|
+}
|
|
|
+if ($opt_c && $opt_c =~ /^\d+$/) {
|
|
|
+ $crit = $opt_c;
|
|
|
+} else {
|
|
|
+ $crit = 30;
|
|
|
+}
|
|
|
+
|
|
|
+sub doexit {
|
|
|
+ my $ret = shift;
|
|
|
+ my $txt = shift;
|
|
|
+ if ($ret == 0) {
|
|
|
+ print "OK: ";
|
|
|
+ }
|
|
|
+ elsif ($ret == 1) {
|
|
|
+ print "WARNING: ";
|
|
|
+ }
|
|
|
+ elsif ($ret == 2) {
|
|
|
+ print "CRITICAL: ";
|
|
|
+ }
|
|
|
+ else {
|
|
|
+ print "UNKNOWN: ";
|
|
|
+ }
|
|
|
+ print "$txt\n";
|
|
|
+ exit($ret);
|
|
|
+}
|
|
|
+
|
|
|
+$alldata = "";
|
|
|
+$cert = "";
|
|
|
+$mode = 0;
|
|
|
+open(CMD, "echo | openssl s_client -servername $vhost -connect $host:$port 2>&1 |");
|
|
|
+while (<CMD>) {
|
|
|
+ $alldata .= $_;
|
|
|
+ if ($mode == 0) {
|
|
|
+ if (/-----BEGIN CERTIFICATE-----/) {
|
|
|
+ $cert .= $_;
|
|
|
+ $mode = 1;
|
|
|
+ }
|
|
|
+ } elsif ($mode == 1) {
|
|
|
+ $cert .= $_;
|
|
|
+ if (/-----END CERTIFICATE-----/) {
|
|
|
+ $mode = 2;
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+close(CMD);
|
|
|
+$ret = $?;
|
|
|
+if ($ret != 0) {
|
|
|
+ $alldata =~ s@\n@ @g;
|
|
|
+ $alldata =~ s@\s+$@@;
|
|
|
+ doexit(2, "Error connecting to $hosttxt: $alldata");
|
|
|
+} elsif ($cert eq "") {
|
|
|
+ doexit(2, "No certificate found on $hosttxt");
|
|
|
+} else {
|
|
|
+ ($tmpfh,$tempfile) = tempfile(DIR=>'/tmp',UNLINK=>0);
|
|
|
+ doexit(2, "Failed to open temp file: $!") unless (defined($tmpfh));
|
|
|
+ $tmpfh->print($cert);
|
|
|
+ $tmpfh->close;
|
|
|
+}
|
|
|
+
|
|
|
+$dercert = `openssl x509 -in $tempfile -outform DER 2>&1`;
|
|
|
+$ret = $?;
|
|
|
+if ($ret != 0) {
|
|
|
+ $dercert =~ s@\n@ @g;
|
|
|
+ $dercert =~ s@\s+$@@;
|
|
|
+ doexit(2, "Could not convert certificate from PEM to DER format: $dercert");
|
|
|
+}
|
|
|
+
|
|
|
+$decoded = Crypt::X509->new( cert => $dercert );
|
|
|
+if ($decoded->error) {
|
|
|
+ doexit(2, "Could not parse X509 certificate on $hosttxt: " . $decoded->error);
|
|
|
+}
|
|
|
+
|
|
|
+$oktxt = "";
|
|
|
+$cn = $decoded->subject_cn;
|
|
|
+if ($opt_d) { print "Found CN: $cn\n"; }
|
|
|
+if ($vhost eq $decoded->subject_cn) {
|
|
|
+ $oktxt .= "Host $vhost matches CN $vhost on $hosttxt ";
|
|
|
+} elsif ($decoded->subject_cn =~ /^.*\.(.*)$/) {
|
|
|
+ $wcdomain = $1;
|
|
|
+ $domain = $vhost;
|
|
|
+ $domain =~ s@^[\w\-]+\.@@;
|
|
|
+ if ($domain eq $wcdomain) {
|
|
|
+ $oktxt .= "Host $vhost matches wildcard CN " . $decoded->subject_cn . " on $hosttxt ";
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+if ($oktxt eq "") {
|
|
|
+ # Cert not yet found
|
|
|
+ if (defined($decoded->SubjectAltName)) {
|
|
|
+ # Check altnames
|
|
|
+ $altfound = 0;
|
|
|
+ foreach $altnametxt (@{$decoded->SubjectAltName}) {
|
|
|
+ if ($altnametxt =~ /^dNSName=(.*)/) {
|
|
|
+ $altname = $1;
|
|
|
+ if ($opt_d) { print "Found SAN: $altname\n"; }
|
|
|
+ if (match_glob($altname, $vhost)) {
|
|
|
+ $altfound = 1;
|
|
|
+ $oktxt .= "Host $vhost found in SAN on $hosttxt ";
|
|
|
+ last;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+ if ($altfound == 0) {
|
|
|
+ doexit(2, "Host $vhost not found in certificate on $hosttxt, not in CN or in alternative names");
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ doexit(2, "Host $vhost not found in certificate on $hosttxt, not in CN and no alternative names found");
|
|
|
+ }
|
|
|
+}
|
|
|
+
|
|
|
+# Check expire time
|
|
|
+$uxtimegmt = strftime "%s", gmtime;
|
|
|
+$uxtime = strftime "%s", localtime;
|
|
|
+$certtime = $decoded->not_after;
|
|
|
+$certdays = ($certtime-$uxtimegmt)/86400;
|
|
|
+$certdaysfmt = sprintf("%.1f", $certdays);
|
|
|
+
|
|
|
+if ($certdays < 0) {
|
|
|
+ doexit(2, "${oktxt}but it is expired ($certdaysfmt days)");
|
|
|
+} elsif ($certdays < $crit) {
|
|
|
+ doexit(2, "${oktxt}but it is expiring in only $certdaysfmt days, critical limit is $crit.");
|
|
|
+} elsif ($certdays < $warn) {
|
|
|
+ doexit(1, "${oktxt}but it is expiring in only $certdaysfmt days, warning limit is $warn.");
|
|
|
+}
|
|
|
+
|
|
|
+$serial = $decoded->serial;
|
|
|
+$serial = lc(sprintf("%x", $serial));
|
|
|
+if ($opt_d) {
|
|
|
+ print "Certificate serial: $serial\n";
|
|
|
+}
|
|
|
+
|
|
|
+if ($opt_o) {
|
|
|
+ # Do OCSP instead of CRL checking
|
|
|
+
|
|
|
+ $ocsp_uri = `openssl x509 -noout -ocsp_uri -in $tempfile`;
|
|
|
+ $ocsp_uri =~ s/\s+$//;
|
|
|
+
|
|
|
+ ($chainfh,$chainfile) = tempfile(DIR=>'/tmp',UNLINK=>0);
|
|
|
+ # Get the certificate chain
|
|
|
+ $chain_raw = `echo "Q" | openssl s_client -servername $vhost -connect $host:$port -showcerts 2>/dev/null`;
|
|
|
+ $mode = 0;
|
|
|
+ for(split /^/, $chain_raw) {
|
|
|
+ if (/-----BEGIN CERTIFICATE-----/) {
|
|
|
+ $mode += 1;
|
|
|
+ }
|
|
|
+ # Skip the first certificate returned
|
|
|
+ if ($mode > 1) {
|
|
|
+ $chain_processed .= $_;
|
|
|
+ }
|
|
|
+ if (/-----END CERTIFICATE-----/) {
|
|
|
+ if ($mode > 1) {
|
|
|
+ $mode -= 1;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ $chainfh->print($chain_processed);
|
|
|
+ $chainfh->close;
|
|
|
+
|
|
|
+ $ocsp_cache = md5_hex($chain_processed);
|
|
|
+ $ocsp_cache_file = dirname(__FILE__) . "/ssl_validity_data_" . $ocsp_cache;
|
|
|
+
|
|
|
+ open(OCSP_CACHE, $ocsp_cache_file);
|
|
|
+ while (my $line = <OCSP_CACHE>) {
|
|
|
+ chomp $line;
|
|
|
+ if ($line =~ /[0-9]+/) {
|
|
|
+ $next_update_time = $line;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ close(OCSP_CACHE);
|
|
|
+
|
|
|
+ $current_time = time();
|
|
|
+
|
|
|
+ if ($current_time < $next_update_time) {
|
|
|
+ # Use cached result
|
|
|
+ $next_update_time_str = ctime($next_update_time);
|
|
|
+ chomp $next_update_time_str;
|
|
|
+ $ocsp_status = "good (cached until $next_update_time_str)";
|
|
|
+ }
|
|
|
+ else {
|
|
|
+ # Time to update
|
|
|
+ $cmd = "openssl ocsp -issuer $chainfile -verify_other $chainfile -cert $tempfile -url $ocsp_uri -text";
|
|
|
+ if ($opt_ocsp_host) {
|
|
|
+ $cmd .= " -header \"Host\" \"$opt_ocsp_host\"";
|
|
|
+ }
|
|
|
+ open(CMD, $cmd . " 2>/dev/null |");
|
|
|
+ $escaped_tempfile = $tempfile;
|
|
|
+ $escaped_tempfile =~ s/([\\\|\(\)\[\]\{\}\^\$\*\+\?\.])/\1/g;
|
|
|
+ $ocsp_status = "unknown";
|
|
|
+ while (<CMD>) {
|
|
|
+ chomp;
|
|
|
+ if ($_ =~ s/Next Update: (.*)/$1/) {
|
|
|
+ $next_update_time = str2time($_);
|
|
|
+ }
|
|
|
+
|
|
|
+ if ($_ =~ s/$escaped_tempfile: (.*)/$1/) {
|
|
|
+ $ocsp_status = $_;
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ if ($ocsp_status =~ /good/) {
|
|
|
+ open(OCSP_CACHE, ">", $ocsp_cache_file);
|
|
|
+ print OCSP_CACHE $next_update_time;
|
|
|
+ close(OCSP_CACHE);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+ my $exit_code = 2;
|
|
|
+ if ($ocsp_status =~ /good/) {
|
|
|
+ $exit_code = 0;
|
|
|
+ }
|
|
|
+ doexit($exit_code, "$oktxt; OCSP responder ($ocsp_uri) says certificate is $ocsp_status");
|
|
|
+}
|
|
|
+else {
|
|
|
+ # Do CRL-based checking
|
|
|
+
|
|
|
+ @crldps = @{$decoded->CRLDistributionPoints};
|
|
|
+ $crlskip = 0;
|
|
|
+ foreach $crldp (@crldps) {
|
|
|
+ if ($opt_d) {
|
|
|
+ print "Checking CRL DP $crldp.\n";
|
|
|
+ }
|
|
|
+ $cachefile = "/tmp/" . md5_hex($crldp) . "_crl.tmp";
|
|
|
+ if (-f $cachefile) {
|
|
|
+ $cacheage = $uxtime-(stat($cachefile))[9];
|
|
|
+ if ($cacheage > $crlupdatefreq) {
|
|
|
+ if ($opt_d) { print "Download update, more than a day old.\n"; }
|
|
|
+ updatecrl($crldp, $cachefile);
|
|
|
+ } else {
|
|
|
+ if ($opt_d) { print "Reusing cached copy.\n"; }
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ if ($opt_d) { print "Download initial copy.\n"; }
|
|
|
+ updatecrl($crldp, $cachefile);
|
|
|
+ }
|
|
|
+
|
|
|
+ $crl = "";
|
|
|
+ my $format;
|
|
|
+ open(my $cachefile_io, '<', $cachefile);
|
|
|
+ $format = <$cachefile_io> =~ /-----BEGIN X509 CRL-----/ ? 'PEM' : 'DER';
|
|
|
+ close $cachefile_io;
|
|
|
+ open(CMD, "openssl crl -inform $format -text -in $cachefile -noout 2>&1 |");
|
|
|
+ while (<CMD>) {
|
|
|
+ $crl .= $_;
|
|
|
+ }
|
|
|
+ close(CMD);
|
|
|
+ $ret = $?;
|
|
|
+ if ($ret != 0) {
|
|
|
+ $crl =~ s@\n@ @g;
|
|
|
+ $crl =~ s@\s+$@@;
|
|
|
+ doexit(2, "Could not parse $format from URL $crldp while checking $hosttxt: $crl");
|
|
|
+ }
|
|
|
+
|
|
|
+ # Crude CRL parsing goes here
|
|
|
+ $mode = 0;
|
|
|
+ foreach $cline (split(/\n/, $crl)) {
|
|
|
+ if ($cline =~ /.*Next Update: (.+)/) {
|
|
|
+ $nextup = $1;
|
|
|
+ $nextuptime = str2time($nextup);
|
|
|
+ $crlvalid = $nextuptime-$uxtime;
|
|
|
+ if ($opt_d) { print "Next CRL update: $nextup\n"; }
|
|
|
+ if ($crlvalid < 0) {
|
|
|
+ doexit(2, "Could not use CRL from $crldp, it expired past next update on $nextup");
|
|
|
+ }
|
|
|
+ } elsif ($cline =~ /.*Last Update: (.+)/) {
|
|
|
+ $lastup = $1;
|
|
|
+ if ($opt_d) { print "Last CRL update: $lastup\n"; }
|
|
|
+ } elsif ($mode == 0) {
|
|
|
+ if ($cline =~ /.*Serial Number: (\S+)/i) {
|
|
|
+ ckserial;
|
|
|
+ $crserial = lc($1);
|
|
|
+ $crrev = "";
|
|
|
+ } elsif ($cline =~ /.*Revocation Date: (.+)/i) {
|
|
|
+ $crrev = $1;
|
|
|
+ }
|
|
|
+ } elsif ($cline =~ /Signature Algorithm/) {
|
|
|
+ last;
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ckserial;
|
|
|
+ }
|
|
|
+}
|
|
|
+if (-f $tempfile) {
|
|
|
+ unlink ($tempfile);
|
|
|
+}
|
|
|
+
|
|
|
+$oktxt =~ s@\s+$@@;
|
|
|
+print "$oktxt, still valid for $certdaysfmt days. ";
|
|
|
+if ($crlskip == 0) {
|
|
|
+ print "Serial $serial not found on any Certificate Revokation Lists.\n";
|
|
|
+} else {
|
|
|
+ print "CRL checks skipped, next check in " . ($crlupdatefreq - $cacheage) . " seconds.\n";
|
|
|
+}
|
|
|
+
|
|
|
+exit 0;
|
Sebastian Wolf