ssl-certificate-expiry

#!/bin/sh -u
# -*- sh -*-
# shellcheck shell=dash

: << =cut

=head1 NAME

ssl-certificate-expiry - Plugin to monitor Certificate expiration on multiple services and ports

=head1 CONFIGURATION

  [ssl-certificate-expiry]
    env.services www.service.tld blah.example.net_PORT foo.example.net_PORT_STARTTLS

PORT is the TCP port number
STARTTLS is passed to openssl as "-starttls" argument. Useful for services like SMTP or IMAP implementing StartTLS.
  Current known values are ftp, imap, pop3 and smtp
  PORT is mandatory if STARTTLS is used.

To set warning and critical levels do like this:

  [ssl-certificate-expiry]
    env.services ...
    env.warning 30:
    env.proxy PROXYHOST:PORT          # optional, enables openssl operation over proxy
    env.checkname yes                 # optional, checks if used servername is covered by certificate
    env.skip_cert_hashes 2e5ac55d     # optional, skip check of certs with those hashes (2e5ac55d is DST Root CA X3, cross-signing Let's Encrypt certs, but expiring on 2021-09-30)

Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.

  ssl-certificate-expiry_HOST_PORT

For example:

  ssl-certificate-expiry_www.example.net
  ssl-certificate-expiry_www.example.org_443
  ssl-certificate-expiry_192.0.2.42_636
  ssl-certificate-expiry_2001:0DB8::badc:0fee_485
  ssl-certificate-expiry_mail.example.net_25_smtp

=head2 Cron setup

To avoid having to run the SSL checks during the munin-update, it is possible
to run it from cron, and save a cachefile to be read during the update, This is
particularly useful when checking a large number of certificates, or when some
of the hosts are slow.

To do so, add a cron job running the plugin with cron as the argument:

  <minute> * * * <user> /usr/sbin/munin-run/ssl-certificate-expiry cron

<user> should be the user that has write permission to the MUNIN_PLUGSTATE.
<minute> should be a number between 0 and 59 when the check should run every hour.

If, for any reason, the cron script stops running, the script will revert to
uncached updates after the cache file is older than an hour.

=head1 AUTHORS

 * Pactrick Domack (ssl_)
 * Olivier Mehani (ssl-certificate-expiry, skip_cert_hashes)
 * Martin Schobert (check for intermediate certs)
 * Arndt Kritzner (hostname verification and proxy usage)

 * Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
 * Copyright (C) 2017, 2019, 2021 Olivier Mehani <shtrom+munin@ssji.net>
 * Copyright (C) 2020 Martin Schobert <martin@schobert.cc>

=head1 LICENSE

=cut

# shellcheck disable=SC1091
. "${MUNIN_LIBDIR}/plugins/plugin.sh"

if [ "${MUNIN_DEBUG:-0}" = 1 ]; then
    set -x
fi

HOSTPORT=${0##*ssl-certificate-expiry_}
CACHEFILE="${MUNIN_PLUGSTATE}/$(basename "${0}").cache"

if [ "${HOSTPORT}" != "${0}" ] \
	&& [ -n "${HOSTPORT}" ]; then
	services="${HOSTPORT}"
fi


# Read data including a certificate from stdin and output the (fractional) number of days left
# until the expiry of this certificate. The output is empty if parsing failed.
parse_valid_days_from_certificate() {
    local input_data
    local valid_until_string
    local valid_until_epoch
    local now_epoch
    local input_data
    input_data=$(cat)

    if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
        cert_data=$(echo "$input_data" | openssl x509 -noout -subject_hash -enddate)

        # Skip certificate if its hash is in env.skip_cert_hashes
        hash="$(echo "${cert_data}" | head -n 1)"
        echo "${skip_cert_hashes:-}" | grep -iqwF "${hash}" && return

        valid_until_string=$(echo "$cert_data" \
            | grep "^notAfter=" | cut -f 2 -d "=")
        if [ -n "$valid_until_string" ]; then
            # FreeBSD requires special arguments for "date"
            if uname | grep -q ^FreeBSD; then
                valid_until_epoch=$(date -j -f '%b %e %T %Y %Z' "$valid_until_string" +%s)
                now_epoch=$(date -j +%s)
            else
                valid_until_epoch=$(date --date="$valid_until_string" +%s)
                now_epoch=$(date +%s)
            fi
            if [ -n "$valid_until_epoch" ]; then
                # calculate the number of days left
                echo "$valid_until_epoch" "$now_epoch" | awk '{ print(($1 - $2) / (24 * 3600)); }'
            fi
        fi
    fi
}


print_expire_days() {
    local host="$1"
    local port="$2"
    local starttls="$3"

    # Wrap IPv6 addresses in square brackets
    echo "$host" | grep -q ':' && host="[$host]"

    local s_client_args=''
    [ -n "$starttls" ] && s_client_args="$s_client_args -starttls $starttls"
    [ -n "${proxy:-}" ] && s_client_args="$s_client_args -proxy $proxy"
    [ -n "${checkname:-}" ] && [ "$checkname" = "yes" ] && s_client_args="$s_client_args -verify_hostname $host"

    # We extract and check the server certificate,
    # but the end date also depends on intermediate certs. Therefore
    # we want to check intermediate certs as well.
    #
    # The following cryptic lines do:
    # - invoke openssl and connect to a port
    # - print certs, not only the server cert
    # - extract each certificate as a single line
    # - pipe each cert to the parse_valid_days_from_certificate
    #   function, which basically is 'openssl x509 -enddate'
    # - get a list of the parse_valid_days_from_certificate
    #   results and sort them
    
    local openssl_call
    local openssl_response
    # shellcheck disable=SC2086
    openssl_call="s_client -servername $host -connect ${host}:${port} -showcerts $s_client_args"
    # shellcheck disable=SC2086
    openssl_response=$(echo "" | openssl ${openssl_call} 2>/dev/null)
    if echo "$openssl_response" | grep -qi "Hostname mismatch"; then
	echo "<>"
    else
	echo "$openssl_response" | \
	awk '{
  	  if ($0 == "-----BEGIN CERTIFICATE-----") cert=""
  	  else if ($0 == "-----END CERTIFICATE-----") print cert
  	  else cert=cert$0
	  }' | \
	  while read -r CERT; do
	      (printf '\n-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "$CERT") | \
	  	  parse_valid_days_from_certificate
          done | sort -n | head -n 1
    fi
}

my_clean_fieldname() {
    # if a domain starts with a digit, or its an IP address, prepend '_'
    clean_fieldname "$(echo "$@" | sed -E 's/^([0-9])/_\1/')"
}

main() {
    for service in $services; do
	if echo "$service" | grep -q "_"; then
	    host=$(echo "$service" | cut -f 1 -d "_")
	    port=$(echo "$service" | cut -f 2 -d "_")
	    starttls=$(echo "$service" | cut -f 3 -d "_")
	else
	    host=$service
	    port=443
	    starttls=""
	fi
	fieldname="$(my_clean_fieldname "$service")"
	valid_days=$(print_expire_days "$host" "$port" "$starttls")
	extinfo=""
	[ -z "$valid_days" ] && valid_days="U"
	if [ "$valid_days" = "<>" ]; then
	    extinfo="Error: hostname mismatch, "
	    valid_days="-1"
	fi
	printf "%s.value %s\\n" "$fieldname" "$valid_days"
	echo "${fieldname}.extinfo ${extinfo}Last checked: $(date)"
    done
}

case ${1:-} in
    config)
	echo "graph_title SSL Certificates Expiration"
	echo 'graph_args --base 1000'
	echo 'graph_vlabel days left'
	echo 'graph_category security'
	echo "graph_info This graph shows the numbers of days before certificate expiry"
	for service in $services; do
	    fieldname=$(my_clean_fieldname "$service")
	    echo "${fieldname}.label $(echo "${service}" | sed 's/_/:/')"
	    print_thresholds "${fieldname}" warning critical
	done

	exit 0
	;;
    cron)
	UPDATE="$(main)"
	echo "${UPDATE}" > "${CACHEFILE}"
	chmod 0644 "${CACHEFILE}"

	exit 0
	;;
esac

if [ -n "$(find "${CACHEFILE}" -mmin -60 2>/dev/null)" ]; then
	cat "${CACHEFILE}"
	exit 0
fi

main