Add check_default_cert.py

2025-07-17 16:47:17 +02:00
parent bf9c33ab83
commit b5e9ff16fc
1 changed files with 86 additions and 0 deletions
--- a/check_default_cert.py
+++ b/check_default_cert.py
@@ -0,0 +1,86 @@
+#!/usr/bin/env python3
+
+import sys
+import socket
+import ssl
+import tempfile
+import os
+from datetime import datetime
+import argparse
+
+EXIT_OK = 0
+EXIT_WARNING = 1
+EXIT_CRITICAL = 2
+EXIT_UNKNOWN = 3
+
+def get_cert_expiry(ip, port=443, timeout=5):
+    context = ssl.create_default_context()
+    context.check_hostname = False
+    context.verify_mode = ssl.CERT_NONE
+
+    with socket.create_connection((ip, port), timeout=timeout) as sock:
+        with context.wrap_socket(sock, server_hostname=None) as ssock:
+            der_cert = ssock.getpeercert(binary_form=True)
+            pem_cert = ssl.DER_cert_to_PEM_cert(der_cert)
+
+            with tempfile.NamedTemporaryFile(delete=False, mode='w', suffix='.pem') as tmp_file:
+                tmp_file.write(pem_cert)
+                tmp_filename = tmp_file.name
+
+            try:
+                decoded = ssl._ssl._test_decode_cert(tmp_filename)
+                not_after = decoded.get('notAfter')
+
+                subject = decoded.get('subject', [])
+                common_name = None
+                for tup in subject:
+                    if isinstance(tup, tuple):
+                        for key, value in tup:
+                            if key == 'commonName':
+                                common_name = value
+                                break
+                    if common_name:
+                        break
+
+                if not not_after:
+                    raise ValueError("Brak daty ważności w certyfikacie")
+
+                expiry_date = datetime.strptime(not_after, '%b %d %H:%M:%S %Y %Z')
+                return expiry_date, common_name
+            finally:
+                os.remove(tmp_filename)
+
+def main():
+    parser = argparse.ArgumentParser(description='Sprawdza datę wygaśnięcia domyślnego certyfikatu SSL na IP')
+    parser.add_argument('--ip', required=True, help='Adres IP serwera')
+    parser.add_argument('--port', '-p', type=int, default=443, help='Port serwera (domyślnie 443)')
+    parser.add_argument('--warning', '-w', type=int, default=30, help='Liczba dni do ostrzeżenia (WARNING)')
+    parser.add_argument('--critical', '-c', type=int, default=10, help='Liczba dni do alarmu (CRITICAL)')
+    args = parser.parse_args()
+
+    try:
+        expiry_date, cert_name = get_cert_expiry(args.ip, args.port)
+        now = datetime.utcnow()
+        days_left = (expiry_date - now).days
+
+        base_msg = f"Wygasajacy certyfikat default na adresie IP: {args.ip} (dla domeny: {cert_name})"
+
+        if days_left < 0:
+            print(f"CRITICAL: {base_msg} wygasł {-days_left} dni temu")
+            sys.exit(EXIT_CRITICAL)
+        elif days_left <= args.critical:
+            print(f"CRITICAL: {base_msg} w ciągu {days_left} dni")
+            sys.exit(EXIT_CRITICAL)
+        elif days_left <= args.warning:
+            print(f"WARNING: {base_msg} w ciągu {days_left} dni")
+            sys.exit(EXIT_WARNING)
+        else:
+            print(f"OK: {base_msg} ważny jeszcze {days_left} dni")
+            sys.exit(EXIT_OK)
+
+    except Exception as e:
+        print(f"UNKNOWN: Błąd podczas sprawdzania certyfikatu: {e}")
+        sys.exit(EXIT_UNKNOWN)
+
+if __name__ == '__main__':
+    main()