43 lines
1.2 KiB
Text
43 lines
1.2 KiB
Text
|
#!/bin/bash
|
||
|
|
|
||
|
|
host=$1
|
||
|
|
port=$2
|
||
|
|
|
||
|
|
cert=$(echo | openssl s_client -connect "$host":"$port" -servername "$host" 2>/dev/null | openssl x509)
|
||
|
|
issuer_hash=$(echo "$cert" | openssl x509 -noout -issuer_hash)
|
||
|
|
not_after=$(echo "$cert" | openssl x509 -noout -dates | grep '^notAfter=')
|
||
|
|
|
||
|
|
if [[ -z "$cert" ]] || [[ -z "$issuer_hash" ]] || [[ -z "$not_after" ]]
|
||
|
|
then
|
||
|
|
echo "UNKNOWN - Could not retrieve certificate! [$host:$port]"
|
||
|
|
exit 3
|
||
|
|
fi
|
||
|
|
|
||
|
|
warn_days=60
|
||
|
|
crit_days=30
|
||
|
|
|
||
|
|
case "$issuer_hash" in
|
||
|
|
# issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
|
||
|
|
4f06f81d)
|
||
|
|
warn_days=10
|
||
|
|
crit_days=3
|
||
|
|
;;
|
||
|
|
esac
|
||
|
|
|
||
|
|
if ! echo "$cert" | openssl x509 -noout -checkend 0 >/dev/null 2>&1
|
||
|
|
then
|
||
|
|
echo "CRITICAL - Certificate has expired! [$host:$port] [$not_after]"
|
||
|
|
exit 2
|
||
|
|
elif ! echo "$cert" | openssl x509 -noout -checkend $((86400 * crit_days)) >/dev/null 2>&1
|
||
|
|
then
|
||
|
|
echo "CRITICAL - Certificate will expire really soon: [$host:$port] [$not_after]"
|
||
|
|
exit 2
|
||
|
|
elif ! echo "$cert" | openssl x509 -noout -checkend $((86400 * warn_days)) >/dev/null 2>&1
|
||
|
|
then
|
||
|
|
echo "WARNING - Certificate will expire soon: [$host:$port] [$not_after]"
|
||
|
|
exit 1
|
||
|
|
fi
|
||
|
|
|
||
|
|
echo "OK - [$host:$port] [$not_after]"
|
||
|
|
exit 0
|