87 lines
3.1 KiB
Python
87 lines
3.1 KiB
Python
#!/usr/bin/env python3
|
|
|
|
import sys
|
|
import socket
|
|
import ssl
|
|
import tempfile
|
|
import os
|
|
from datetime import datetime
|
|
import argparse
|
|
|
|
EXIT_OK = 0
|
|
EXIT_WARNING = 1
|
|
EXIT_CRITICAL = 2
|
|
EXIT_UNKNOWN = 3
|
|
|
|
def get_cert_expiry(ip, port=443, timeout=5):
|
|
context = ssl.create_default_context()
|
|
context.check_hostname = False
|
|
context.verify_mode = ssl.CERT_NONE
|
|
|
|
with socket.create_connection((ip, port), timeout=timeout) as sock:
|
|
with context.wrap_socket(sock, server_hostname=None) as ssock:
|
|
der_cert = ssock.getpeercert(binary_form=True)
|
|
pem_cert = ssl.DER_cert_to_PEM_cert(der_cert)
|
|
|
|
with tempfile.NamedTemporaryFile(delete=False, mode='w', suffix='.pem') as tmp_file:
|
|
tmp_file.write(pem_cert)
|
|
tmp_filename = tmp_file.name
|
|
|
|
try:
|
|
decoded = ssl._ssl._test_decode_cert(tmp_filename)
|
|
not_after = decoded.get('notAfter')
|
|
|
|
subject = decoded.get('subject', [])
|
|
common_name = None
|
|
for tup in subject:
|
|
if isinstance(tup, tuple):
|
|
for key, value in tup:
|
|
if key == 'commonName':
|
|
common_name = value
|
|
break
|
|
if common_name:
|
|
break
|
|
|
|
if not not_after:
|
|
raise ValueError("Brak daty ważności w certyfikacie")
|
|
|
|
expiry_date = datetime.strptime(not_after, '%b %d %H:%M:%S %Y %Z')
|
|
return expiry_date, common_name
|
|
finally:
|
|
os.remove(tmp_filename)
|
|
|
|
def main():
|
|
parser = argparse.ArgumentParser(description='Sprawdza datę wygaśnięcia domyślnego certyfikatu SSL na IP')
|
|
parser.add_argument('--ip', required=True, help='Adres IP serwera')
|
|
parser.add_argument('--port', '-p', type=int, default=443, help='Port serwera (domyślnie 443)')
|
|
parser.add_argument('--warning', '-w', type=int, default=30, help='Liczba dni do ostrzeżenia (WARNING)')
|
|
parser.add_argument('--critical', '-c', type=int, default=10, help='Liczba dni do alarmu (CRITICAL)')
|
|
args = parser.parse_args()
|
|
|
|
try:
|
|
expiry_date, cert_name = get_cert_expiry(args.ip, args.port)
|
|
now = datetime.utcnow()
|
|
days_left = (expiry_date - now).days
|
|
|
|
base_msg = f"Wygasajacy certyfikat default na adresie IP: {args.ip} (dla domeny: {cert_name})"
|
|
|
|
if days_left < 0:
|
|
print(f"CRITICAL: {base_msg} wygasł {-days_left} dni temu")
|
|
sys.exit(EXIT_CRITICAL)
|
|
elif days_left <= args.critical:
|
|
print(f"CRITICAL: {base_msg} w ciągu {days_left} dni")
|
|
sys.exit(EXIT_CRITICAL)
|
|
elif days_left <= args.warning:
|
|
print(f"WARNING: {base_msg} w ciągu {days_left} dni")
|
|
sys.exit(EXIT_WARNING)
|
|
else:
|
|
print(f"OK: {base_msg} ważny jeszcze {days_left} dni")
|
|
sys.exit(EXIT_OK)
|
|
|
|
except Exception as e:
|
|
print(f"UNKNOWN: Błąd podczas sprawdzania certyfikatu: {e}")
|
|
sys.exit(EXIT_UNKNOWN)
|
|
|
|
if __name__ == '__main__':
|
|
main()
|