Add ssl-expiration probe to check if a ssl certificate is about to

expire under a specified time. Contribution from Denis Fondras
2018-10-20 20:28:20 +02:00 · 2018-10-20 20:28:20 +02:00 · c1bb305f9d
parent 72d28cf74b
commit c1bb305f9d
3 changed files with 41 additions and 1 deletions
--- a/25
+++ b/25
@ -294,6 +294,7 @@ This may be the most useful probe because it let the user do any check needed.

 Example : `(=> alert command :command "tail -n 10 /var/log/messages | grep -v CRITICAL")`

+
 service
 -------
 Check if a service is started on the system.
@ -303,6 +304,7 @@ Check if a service is started on the system.

 Example : `(=> alert service :name "mysql-server")`

+
 file-less-than
 --------------
 Check if a file has a size less than a specified limit.
@ -315,9 +317,11 @@ Check if a file has a size less than a specified limit.

 Example : `(=> alert file-less-than :path "/var/log/nginx.log" :limit 60)`

+
 curl-http-status
 ----------------
-Do a HTTP request and return an error if the return code isn't 200. Requires curl.
+Do a HTTP request and return an error if the return code isn't
+200. Requires curl.

 > Set the url to request.
    :url "STRING"
@ -325,6 +329,25 @@ Do a HTTP request and return an error if the return code isn't 200. Requires cur
 > Set the time to wait before aborting.
    :timeout INTEGER

+
+ssl-expiration
+--------------------
+Check if a remote SSL certificate expires in less than a specified
+time. Requires openssl.
+
+> Set the hostname for the request.
+    :host "STRING"
+
+> Set the expiration time limit in seconds.
+    :seconds INTEGER
+
+> Set the port for the request (OPTIONAL).
+    :port INTEGER (default to 443)
+
+Example : `(=> alert ssl-expiration :host "domain.local" :seconds (* 7 24 60 60))
+Example : `(=> alert ssl-expiration :host "domain.local" :seconds 86400 :port 6697)
+
+
 The configuration file
 ======================

--- a/example-full.lisp
+++ b/example-full.lisp
@ -55,6 +55,11 @@
 ;; check if web page :url answer under :limit
 (=> empty command :command "curl -m 10 http://google.fr/")

+;; check if a certificate is still valid within a time range
+(=> mail ssl-expiration :host "google.fr"    :seconds 1296000)
+(=> mail ssl-expiration :host "freenode.net" :seconds (* 7 24 60 60))
+(=> mail ssl-expiration :host "freenode.net" :seconds 1296000 :port 6697)
+
 ;; we declare a new probe here
 (create-probe
 check-http-pattern
--- a/probes.lisp
+++ b/probes.lisp
@ -120,3 +120,15 @@
  (list "curl" "-f"
        (format nil "-m~a" (getf params :timeout 5))
        (getf params :url))))
+
+(create-probe
+ ssl-expiration
+ (command-return-code
+  (concatenate 'string
+               "echo | openssl s_client -showcerts -servername "
+               (getf params :host) " -connect "
+               (getf params :host) ":" (princ-to-string
+                                        (getf params :port 443))
+               " 2>/dev/null | openssl x509 -inform pem -noout -checkend "
+               (princ-to-string
+                (getf params :seconds)))))