ssl-certificate-expiry: Feature added: checking intermediate certs as…

… well (#1088)
munin-monitoring · Sep 6, 2020 · bba98f9 · bba98f9
1 parent 81bdeda
commit bba98f9
Showing 1 changed file with 30 additions and 4 deletions.
diff --git a/plugins/ssl/ssl-certificate-expiry b/plugins/ssl/ssl-certificate-expiry
@@ -57,9 +57,11 @@ uncached updates after the cache file is older than an hour.
 
  * Pactrick Domack (ssl_)
  * Olivier Mehani (ssl-certificate-expiry)
-
+ * Martin Schobert (check for intermediate certs)
+ 
  * Copyright (C) 2013 Patrick Domack <patrickdk@patrickdk.com>
  * Copyright (C) 2017, 2019 Olivier Mehani <shtrom+munin@ssji.net>
+ * Copyright (C) 2020 Martin Schobert <martin@schobert.cc> 
 
 =head1 LICENSE
 
@@ -90,6 +92,7 @@ parse_valid_days_from_certificate() {
     local now_epoch
     local input_data
     input_data=$(cat)
+
     if echo "$input_data" | grep -q -- "-----BEGIN CERTIFICATE-----"; then
         valid_until_string=$(echo "$input_data" | openssl x509 -noout -enddate \
             | grep "^notAfter=" | cut -f 2 -d "=")
@@ -122,11 +125,34 @@ print_expire_days() {
     local s_client_args=
     [ -n "$starttls" ] && s_client_args="-starttls $starttls"
 
+    # We extract and check the server certificate,
+    # but the end date also depends on intermediate certs. Therefore
+    # we want to check intermediate certs as well.
+    #
+    # The following cryptic lines do:
+    # - invoke openssl and connect to a port
+    # - print certs, not only the server cert
+    # - extract each certificate as a single line
+    # - pipe each cert to the parse_valid_days_from_certificate
+    #   function, which basically is 'openssl x509 -enddate'
+    # - get a list of the parse_valid_days_from_certificate
+    #   results and sort them
+
     # shellcheck disable=SC2086
     echo "" | openssl s_client \
-            -servername "$host" -connect "${host}:${port}" \
-            $s_client_args 2>/dev/null \
-        | parse_valid_days_from_certificate
+	-servername "$host" -connect "${host}:${port}" \
+	-showcerts \
+	$s_client_args 2>/dev/null | \
+	awk '{
+  	  if ($0 == "-----BEGIN CERTIFICATE-----") cert=""
+  	  else if ($0 == "-----END CERTIFICATE-----") print cert
+  	  else cert=cert$0
+	  }' | \
+	  while read -r CERT; do
+	      (printf '\n-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----\n' "$CERT") | \
+	  	  parse_valid_days_from_certificate
+          done | sort -n | head -n 1
+
 }
 
 main() {