| Current File : //lib64/nagios/plugins/check_ssl_validity |
#! /usr/bin/perl
# nagios: -epn
# Complete (?) check for valid SSL certificate
# Originally by Anders Nordby (anders@fupp.net), 2015-02-16
# Copied with permission on 2019-09-26 (https://github.com/nagios-plugins/nagios-plugins/issues/72)
# and modified to fit the needs of the nagios-plugins project.
# Copyright: GPLv2
# Checks all of the following:
# Fetch SSL certificate from URL (on optional given host)
# Does the certificate contain our hostname?
# Has the certificate expired?
# Download (and cache) CRL
# Has the certificate been revoked?
use Getopt::Std;
use File::Temp qw(tempfile);
use File::Basename;
use Crypt::X509;
use Date::Parse;
use Date::Format qw(ctime);
use POSIX qw(strftime);
use Digest::MD5 qw(md5_hex);
use LWP::Simple;
use Text::Glob qw(match_glob);
use Getopt::Long;
Getopt::Long::Configure('bundling');
GetOptions(
"h" => \$opt_h, "help" => \$opt_h,
"d" => \$opt_d, "debug" => \$opt_d,
"o" => \$opt_o, "ocsp" => \$opt_o,
"ocsp-host=s" => \$opt_ocsp_host,
"C=s" => \$opt_C, "crl-cache-frequency=s" => \$opt_C,
"I=s" => \$opt_I, "ip=s" => \$opt_I,
"p=i" => \$opt_p, "port=i" => \$opt_p,
"H=s" => \$opt_H, "cert-hostname=s" => \$opt_H,
"w=i" => \$opt_w, "warning=i" => \$opt_w,
"c=i" => \$opt_c, "critical=i" => \$opt_c,
"t" => \$opt_t, "timeout" => \$opt_t
);
my $chainfh, $chainfile, $escaped_tempfile, $ocsp_status;
sub usage {
print "check_ssl_validity -H <cert hostname> [-I <IP/host>] [-p <port>]\n[-t <timeout>] [-w <expire warning (days)>] [-c <expire critical (dats)>]\n[-C (CRL update frequency in seconds)] [-d (debug)] [--ocsp] [--ocsp-host]\n";
print "\nWill look for hostname provided with -H in the certificate, but will contact\n";
print "server with host/IP provided by -I (optional)\n";
exit(1);
}
sub updatecrl {
my $url = shift;
my $fn = shift;
my $content = get($url);
if (defined($content)) {
if (open(CACHE, ">$cachefile")) {
print CACHE $content;
} else {
doexit(2, "Could not open file $fn for writing CRL temp file for cert on $host:$port.");
}
close(CACHE);
} else {
doexit(2, "Could not download CRL Distribution Point URL $url for cert on $hosttxt.");
}
}
sub ckserial {
return if ($crserial eq "");
if ($serial eq $crserial) {
if ($crrev ne "") {
$crrevtime = str2time($crrev);
$revtime = $crrevtime-$uxtime;
if ($revtime < 0) {
doexit(2, "Found certificate for $vhost on CRL $crldp revoked already at date $crrev");
} elsif (($revtime/86400) < $crit) {
doexit(2, "Found certificate for $vhost on CRL $crldp revoked at date $crrev, within critical time frame $crit");
} elsif (($revtime/86400) < $warn) {
doexit(1, "Found certificate for $vhost on CRL $crldp revoked at date $crrev, within warning time frame $warn");
}
}
doexit(1, "Found certificate for $vhost on CRL $crldp revoked $crrev. Time to check the revokation date");
}
}
usage unless ($opt_H);
# Defaults
if ($opt_p) {
$port = $opt_p;
} else {
$port = 443;
}
if ($opt_t) {
$tmout = $opt_t;
} else {
$tmout = 10;
}
if ($opt_C) {
$crlupdatefreq = $opt_C;
} else {
$crlupdatefreq = 86400;
}
$vhost = $opt_H;
if ($opt_I) {
$host = $opt_I;
} else {
$host = $vhost;
}
$hosttxt = "$host:$port";
if ($opt_w && $opt_w =~ /^\d+$/) {
$warn = $opt_w;
} else {
$warn = 30;
}
if ($opt_c && $opt_c =~ /^\d+$/) {
$crit = $opt_c;
} else {
$crit = 30;
}
sub doexit {
my $ret = shift;
my $txt = shift;
if ($ret == 0) {
print "OK: ";
}
elsif ($ret == 1) {
print "WARNING: ";
}
elsif ($ret == 2) {
print "CRITICAL: ";
}
else {
print "UNKNOWN: ";
}
print "$txt\n";
exit($ret);
}
$alldata = "";
$cert = "";
$mode = 0;
open(CMD, "echo | openssl s_client -servername $vhost -connect $host:$port 2>&1 |");
while (<CMD>) {
$alldata .= $_;
if ($mode == 0) {
if (/-----BEGIN CERTIFICATE-----/) {
$cert .= $_;
$mode = 1;
}
} elsif ($mode == 1) {
$cert .= $_;
if (/-----END CERTIFICATE-----/) {
$mode = 2;
}
}
}
close(CMD);
$ret = $?;
if ($ret != 0) {
$alldata =~ s@\n@ @g;
$alldata =~ s@\s+$@@;
doexit(2, "Error connecting to $hosttxt: $alldata");
} elsif ($cert eq "") {
doexit(2, "No certificate found on $hosttxt");
} else {
($tmpfh,$tempfile) = tempfile(DIR=>'/tmp',UNLINK=>0);
doexit(2, "Failed to open temp file: $!") unless (defined($tmpfh));
$tmpfh->print($cert);
$tmpfh->close;
}
$dercert = `openssl x509 -in $tempfile -outform DER 2>&1`;
$ret = $?;
if ($ret != 0) {
$dercert =~ s@\n@ @g;
$dercert =~ s@\s+$@@;
doexit(2, "Could not convert certificate from PEM to DER format: $dercert");
}
$decoded = Crypt::X509->new( cert => $dercert );
if ($decoded->error) {
doexit(2, "Could not parse X509 certificate on $hosttxt: " . $decoded->error);
}
$oktxt = "";
$cn = $decoded->subject_cn;
if ($opt_d) { print "Found CN: $cn\n"; }
if ($vhost eq $decoded->subject_cn) {
$oktxt .= "Host $vhost matches CN $vhost on $hosttxt ";
} elsif ($decoded->subject_cn =~ /^.*\.(.*)$/) {
$wcdomain = $1;
$domain = $vhost;
$domain =~ s@^[\w\-]+\.@@;
if ($domain eq $wcdomain) {
$oktxt .= "Host $vhost matches wildcard CN " . $decoded->subject_cn . " on $hosttxt ";
}
}
if ($oktxt eq "") {
# Cert not yet found
if (defined($decoded->SubjectAltName)) {
# Check altnames
$altfound = 0;
foreach $altnametxt (@{$decoded->SubjectAltName}) {
if ($altnametxt =~ /^dNSName=(.*)/) {
$altname = $1;
if ($opt_d) { print "Found SAN: $altname\n"; }
if (match_glob($altname, $vhost)) {
$altfound = 1;
$oktxt .= "Host $vhost found in SAN on $hosttxt ";
last;
}
}
}
if ($altfound == 0) {
doexit(2, "Host $vhost not found in certificate on $hosttxt, not in CN or in alternative names");
}
} else {
doexit(2, "Host $vhost not found in certificate on $hosttxt, not in CN and no alternative names found");
}
}
# Check expire time
$uxtimegmt = strftime "%s", gmtime;
$uxtime = strftime "%s", localtime;
$certtime = $decoded->not_after;
$certdays = ($certtime-$uxtimegmt)/86400;
$certdaysfmt = sprintf("%.1f", $certdays);
if ($certdays < 0) {
doexit(2, "${oktxt}but it is expired ($certdaysfmt days)");
} elsif ($certdays < $crit) {
doexit(2, "${oktxt}but it is expiring in only $certdaysfmt days, critical limit is $crit.");
} elsif ($certdays < $warn) {
doexit(1, "${oktxt}but it is expiring in only $certdaysfmt days, warning limit is $warn.");
}
$serial = $decoded->serial;
$serial = lc(sprintf("%x", $serial));
if ($opt_d) {
print "Certificate serial: $serial\n";
}
if ($opt_o) {
# Do OCSP instead of CRL checking
$ocsp_uri = `openssl x509 -noout -ocsp_uri -in $tempfile`;
$ocsp_uri =~ s/\s+$//;
($chainfh,$chainfile) = tempfile(DIR=>'/tmp',UNLINK=>0);
# Get the certificate chain
$chain_raw = `echo "Q" | openssl s_client -servername $vhost -connect $host:$port -showcerts 2>/dev/null`;
$mode = 0;
for(split /^/, $chain_raw) {
if (/-----BEGIN CERTIFICATE-----/) {
$mode += 1;
}
# Skip the first certificate returned
if ($mode > 1) {
$chain_processed .= $_;
}
if (/-----END CERTIFICATE-----/) {
if ($mode > 1) {
$mode -= 1;
}
}
}
$chainfh->print($chain_processed);
$chainfh->close;
$ocsp_cache = md5_hex($chain_processed);
$ocsp_cache_file = dirname(__FILE__) . "/ssl_validity_data_" . $ocsp_cache;
open(OCSP_CACHE, $ocsp_cache_file);
while (my $line = <OCSP_CACHE>) {
chomp $line;
if ($line =~ /[0-9]+/) {
$next_update_time = $line;
}
}
close(OCSP_CACHE);
$current_time = time();
if ($current_time < $next_update_time) {
# Use cached result
$next_update_time_str = ctime($next_update_time);
chomp $next_update_time_str;
$ocsp_status = "good (cached until $next_update_time_str)";
}
else {
# Time to update
$cmd = "openssl ocsp -issuer $chainfile -verify_other $chainfile -cert $tempfile -url $ocsp_uri -text";
if ($opt_ocsp_host) {
$cmd .= " -header \"Host\" \"$opt_ocsp_host\"";
}
open(CMD, $cmd . " 2>/dev/null |");
$escaped_tempfile = $tempfile;
$escaped_tempfile =~ s/([\\\|\(\)\[\]\{\}\^\$\*\+\?\.])/\1/g;
$ocsp_status = "unknown";
while (<CMD>) {
chomp;
if ($_ =~ s/Next Update: (.*)/$1/) {
$next_update_time = str2time($_);
}
if ($_ =~ s/$escaped_tempfile: (.*)/$1/) {
$ocsp_status = $_;
}
}
if ($ocsp_status =~ /good/) {
open(OCSP_CACHE, ">", $ocsp_cache_file);
print OCSP_CACHE $next_update_time;
close(OCSP_CACHE);
}
}
my $exit_code = 2;
if ($ocsp_status =~ /good/) {
$exit_code = 0;
}
doexit($exit_code, "$oktxt; OCSP responder ($ocsp_uri) says certificate is $ocsp_status");
}
else {
# Do CRL-based checking
@crldps = @{$decoded->CRLDistributionPoints};
$crlskip = 0;
foreach $crldp (@crldps) {
if ($opt_d) {
print "Checking CRL DP $crldp.\n";
}
$cachefile = "/tmp/" . md5_hex($crldp) . "_crl.tmp";
if (-f $cachefile) {
$cacheage = $uxtime-(stat($cachefile))[9];
if ($cacheage > $crlupdatefreq) {
if ($opt_d) { print "Download update, more than a day old.\n"; }
updatecrl($crldp, $cachefile);
} else {
if ($opt_d) { print "Reusing cached copy.\n"; }
}
} else {
if ($opt_d) { print "Download initial copy.\n"; }
updatecrl($crldp, $cachefile);
}
$crl = "";
my $format;
open(my $cachefile_io, '<', $cachefile);
$format = <$cachefile_io> =~ /-----BEGIN X509 CRL-----/ ? 'PEM' : 'DER';
close $cachefile_io;
open(CMD, "openssl crl -inform $format -text -in $cachefile -noout 2>&1 |");
while (<CMD>) {
$crl .= $_;
}
close(CMD);
$ret = $?;
if ($ret != 0) {
$crl =~ s@\n@ @g;
$crl =~ s@\s+$@@;
doexit(2, "Could not parse $format from URL $crldp while checking $hosttxt: $crl");
}
# Crude CRL parsing goes here
$mode = 0;
foreach $cline (split(/\n/, $crl)) {
if ($cline =~ /.*Next Update: (.+)/) {
$nextup = $1;
$nextuptime = str2time($nextup);
$crlvalid = $nextuptime-$uxtime;
if ($opt_d) { print "Next CRL update: $nextup\n"; }
if ($crlvalid < 0) {
doexit(2, "Could not use CRL from $crldp, it expired past next update on $nextup");
}
} elsif ($cline =~ /.*Last Update: (.+)/) {
$lastup = $1;
if ($opt_d) { print "Last CRL update: $lastup\n"; }
} elsif ($mode == 0) {
if ($cline =~ /.*Serial Number: (\S+)/i) {
ckserial;
$crserial = lc($1);
$crrev = "";
} elsif ($cline =~ /.*Revocation Date: (.+)/i) {
$crrev = $1;
}
} elsif ($cline =~ /Signature Algorithm/) {
last;
}
}
ckserial;
}
}
if (-f $tempfile) {
unlink ($tempfile);
}
$oktxt =~ s@\s+$@@;
print "$oktxt, still valid for $certdaysfmt days. ";
if ($crlskip == 0) {
print "Serial $serial not found on any Certificate Revokation Lists.\n";
} else {
print "CRL checks skipped, next check in " . ($crlupdatefreq - $cacheage) . " seconds.\n";
}
exit 0;