- Repository
- Munin (contrib)
- Last change
- 2021-12-03
- Graph Categories
- Keywords
- Language
- Shell
- License
- GPL-2.0-only
certificate_file_expiry
Name
certificate_file_expiry - check the certificate validity of your certificates
= head1 CONFIGURATION
Installing: Add list of your certificates prefixed by the type in munin plugin-conf.d
For openvpn ca.crt and crl.pem
[certificate_file_expiry]
user root
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt
env.LOGARITHMIC yes
For letsencrypt certificates
[certificate_file_expiry]
user root
env.CERTS x509:/etc/letsencrypt/live/*/cert.pem
Warning and Critical levels can also be configured with env variables like this:
[certificate_file_expiry]
...
# warn when certificate will be invalid within 5 days
env.warning 5:
# for this certificate warn us 10 days before because it takes longer to renew
env._etc_letsencrypt_live_example_com_cert_pem_warning 10:
# critical when certificate will be invalid within 1 day
env.critical 1:
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All types of certificates that openssl supports as standard commands and have a validity output are supported (e.g. x509, crl). File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files (e.g. /etc/letsencrypt/live/*/cert.pem).
env.warning and env.critical are configurable values for the warning and critical levels according to http://guide.munin-monitoring.org/en/latest/tutorial/alert.html?highlight=warning#syntax-of-warning-and-critical
env.LOGARITHMIC “yes” enables the logarithmic display of values which is useful if some of your certs are relatively long lived in respect to the warning level. e.g. a ca.crt that is valid for 10 years together with a crl.pem that is valid for only a few months combined with warning levels of 5 days. default is “yes” to disable set it to “no”.
Dependencies
Dependencies: openssl
Author
andreas perhab - andreas.perhab@wt-io-it.at (https://www.wt-io-it.at/)
License
GPLv2
#!/bin/sh
: << =cut
=head1 NAME
certificate_file_expiry - check the certificate validity of your certificates
= head1 CONFIGURATION
Installing: Add list of your certificates prefixed by the type in munin plugin-conf.d
For openvpn ca.crt and crl.pem
[certificate_file_expiry]
user root
env.CERTS crl:/etc/openvpn/easy-rsa/keys/crl.pem x509:/etc/openvpn/easy-rsa/keys/ca.crt
env.LOGARITHMIC yes
For letsencrypt certificates
[certificate_file_expiry]
user root
env.CERTS x509:/etc/letsencrypt/live/*/cert.pem
Warning and Critical levels can also be configured with env variables like this:
[certificate_file_expiry]
...
# warn when certificate will be invalid within 5 days
env.warning 5:
# for this certificate warn us 10 days before because it takes longer to renew
env._etc_letsencrypt_live_example_com_cert_pem_warning 10:
# critical when certificate will be invalid within 1 day
env.critical 1:
env.CERTS should be a space separated list of patterns prefixed by the type of certificate to check and a colon. All types of
certificates that openssl supports as standard commands and have a validity output are supported (e.g. x509, crl).
File patterns can be a single file (e.g. /etc/openvpn/easy-rsa/keys/crl.pem) or a pattern that matches multiple files
(e.g. /etc/letsencrypt/live/*/cert.pem).
env.warning and env.critical are configurable values for the warning and critical levels according to
http://guide.munin-monitoring.org/en/latest/tutorial/alert.html?highlight=warning#syntax-of-warning-and-critical
env.LOGARITHMIC "yes" enables the logarithmic display of values which is useful if some of your certs are relatively
long lived in respect to the warning level. e.g. a ca.crt that is valid for 10 years together with a crl.pem that is
valid for only a few months combined with warning levels of 5 days. default is "yes" to disable set it to "no".
=head1 Dependencies
Dependencies: openssl
=head1 AUTHOR
andreas perhab - andreas.perhab@wt-io-it.at (https://www.wt-io-it.at/)
=head1 LICENSE
GPLv2
=cut
. "$MUNIN_LIBDIR/plugins/plugin.sh"
LOGARITHMIC=${LOGARITHMIC:-yes}
if [ "$1" = "config" ] ; then
echo "graph_title Certificate validity"
if [ "$LOGARITHMIC" = "yes" ] ; then
graph_args="--logarithmic --units=si"
fi
echo "graph_args --base 1000 $graph_args"
echo "graph_vlabel days"
echo "graph_category security"
fi
now=$(date +%s)
for cert in ${CERTS}; do
cert_type=${cert%:*}
cert_pattern=${cert#*:}
for cert_file in $cert_pattern; do
cert_name=$(clean_fieldname "$cert_file")
if [ "$1" = "config" ] ; then
echo "${cert_name}.label ${cert_file}"
print_warning "$cert_name"
print_critical "$cert_name"
elif [ "$1" = "" ] ; then
validity=$(/usr/bin/openssl "$cert_type" -text -noout -in "$cert_file" | grep -E '(Next Update|Not After)')
validity=${validity#*:}
validity=$(date --date="$validity" +%s)
validity=$((validity - now))
validity=$(echo "$validity" | awk '{ print ($1 / 86400) }')
echo "${cert_name}.value $validity"
fi
done
done