aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSilvio Rhatto <rhatto@riseup.net>2011-01-02 20:44:17 +0100
committerSilvio Rhatto <rhatto@riseup.net>2011-01-02 20:44:17 +0100
commit027fa31590deca283c67fac1ef2449df63ee35c1 (patch)
tree2c108f2d5fb29a7e27bc45e6ce004828688255b6
parentf4905e39e09ce720aece3e2bc36fc94fb2614606 (diff)
downloadpuppet-ssl-027fa31590deca283c67fac1ef2449df63ee35c1.tar.gz
puppet-ssl-027fa31590deca283c67fac1ef2449df63ee35c1.tar.bz2
Adding ssl-cert-check
-rw-r--r--files/ssl-cert-check705
-rw-r--r--manifests/init.pp21
2 files changed, 726 insertions, 0 deletions
diff --git a/files/ssl-cert-check b/files/ssl-cert-check
new file mode 100644
index 0000000..72de361
--- /dev/null
+++ b/files/ssl-cert-check
@@ -0,0 +1,705 @@
+#!/bin/bash
+#
+# Program: SSL Certificate Check <ssl-cert-check>
+#
+# Source code home: http://prefetch.net/code/ssl-cert-check
+#
+# Documentation: http://prefetch.net/articles/checkcertificate.html
+#
+# Author: Matty < matty91 at gmail dot com >
+#
+# Current Version: 3.21
+#
+# Revision History:
+
+# Version 3.21
+# - Adjust e-mail checking to avoid exiting if notifications aren't enabled -- Nick Anderson
+# - Added the number of days until expiration to the Nagios output -- Nick Anderson
+#
+# Version 3.20
+# - Fixed a bug in certificate length checking -- Tim Nowaczyk
+#
+# Version 3.19
+# - Added check to verify the certificate retrieved is valid
+#
+# Version 3.18
+# - Add support for connecting to FTP servers -- Paul A Sand
+#
+# Version 3.17
+# - Add support for connecting to imap servers -- Joerg Pareigis
+#
+# Version 3.16
+# - Add support for connecting to the mail sbmission port -- Luis E. Munoz
+#
+# Version 3.15
+# - Adjusted the file checking logic to use the correct certificate -- Maciej Szudejko
+# - Add sbin to the default search paths for OpenBSD compatibility -- Alex Popov
+# - Use cut instead of substring processing to ensure compatibility -- Alex Popov
+#
+# Version 3.14
+# - Fixed the Common Name parser to handle DN's where the CN is not the last item
+# eg. EmailAddr -- Jason Brothers
+# - Added the ability to grab the serial number -- Jason Brothers
+# - Added the "-b" option to print results without a header -- Jason Brothers
+# - Added the "-v" option for certificate validation -- Jason Brothers
+#
+# Version 3.13
+# - Updated the subject line to include the hostname as well as
+# the common name embedded in the X509 certificate (if it's
+# available) -- idea proposed by Mike Burns
+#
+# Version 3.12
+# - Updated the license to allow redistribution and modification
+#
+# Version 3.11
+# - Added ability to comment out lines in files passed
+# to the "-f" option -- Brett Stauner
+# - Fixed comment next to file processing logic
+#
+# Version 3.10
+# - Fixed POP3 port -- Simon Matter
+#
+# Version 3.9
+# - Switched binary location logic to use which utility
+#
+# Version 3.8
+# - Fixed display on 80 column displays
+# - Cleaned up the formatting
+#
+# Version 3.7
+# - Fixed bug in NAGIOS tests -- Ben Allen
+#
+# Version 3.6
+# - Added support for certificates stored in PKCS#12 databases -- Ken Gallo
+# - Cleaned up comments
+# - Adjusted variables to be more consistent
+#
+# Version 3.5
+# - Added support for NAGIOS -- Quanah Gibson-Mount
+# - Added additional checks for mail -- Quanah Gibson-Mount
+# - Convert tabs to spaces -- Quanah Gibson-Mount
+# - Cleaned up usage() routine
+# - Added additional checks for openssl
+#
+# Version 3.4
+# - Added a missing "{" to line 364 -- Ken Gallo
+# - Move mktemp to the start of the main body to avoid errors
+# - Adjusted default binary paths to make sure the script just works
+# w/ Solaris, BSD and Linux hosts
+#
+# Version 3.3
+# - Added common name from X.509 certificate file to E-mail body / header -- Doug Curtis
+# - Fixed several documentation errors
+# - Use mktemp to create temporary files
+# - Convert printf, sed and awk to variables
+# - Check for printf, sed, awk and mktemp binaries
+# - Add additional logic to make sure mktemp returned a valid temporary file
+#
+# Version 3.2
+# - Added option to list certificates in the file passed to "-f".
+#
+# Version 3.1
+# - Added handling for starttls for smtp -- Marco Amrein
+# - Added handling for starttls for pop3 (without s) -- Marco Amrein
+# - Removed extra spacing at end of script
+#
+# Version 3.0
+# - Added "-i" option to print certificate issuer
+# - Removed $0 from Subject line of outbound e-mails
+# - Fixed some typographical errors
+# - Removed redundant "-b" option
+#
+# Version 2.0
+# - Fixed an issue with e-mails formatting incorrectly
+# - Added additional space to host column -- Darren-Perot Spruell
+# - Replaced GNU date dependency with CHRIS F. A. JOHNSON's
+# date2julian shell function. This routine can be found on
+# page 170 of Chris's book "Shell Scripting Recipes: A
+# Problem-Solution Approach," ISBN #1590594711. Julian function
+# was created based on a post to comp.unix.shell by Tapani Tarvainen.
+# - Cleaned up function descriptions
+# - Removed several lines of redundant code
+# - Adjusted the help message
+#
+# Version 1.1
+# - Added "-c" flag to report expiration status of a PEM encoded
+# certificate -- Hampus Lundqvist
+# - Updated the prints messages to display the reason a connection
+# failed (connection refused, connection timeout, bad cert, etc)
+# - Updated the GNU date checking routines
+# - Added checks for each binary required
+# - Added checks for connection timeouts
+# - Added checks for GNU date
+# - Added a "-h" option
+# - Cleaned up the documentation
+#
+# Version 1.0
+# Initial Release
+#
+# Last Updated: 11-23-2010
+#
+# Purpose:
+# ssl-cert-check checks to see if a digital certificate in X.509 format
+# has expired. ssl-cert-check can be run in interactive and batch mode,
+# and provides facilities to alarm if a certificate is about to expire.
+#
+# License:
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# Requirements:
+# Requires openssl
+#
+# Installation:
+# Copy the shell script to a suitable location
+#
+# Tested platforms:
+# -- Solaris 9 using /bin/bash
+# -- Solaris 10 using /bin/bash
+# -- OS X 10.4.2 using /bin/sh
+# -- OpenBSD using /bin/sh
+# -- FreeBSD using /bin/sh
+# -- Redhat Enterprise Linux 3, 4, 5 & 6
+#
+# Usage:
+# Refer to the usage() sub-routine, or invoke ssl-cert-check
+# with the "-h" option.
+#
+# Examples:
+# Please refer to the following site for documentation and
+# examples:
+# http://prefetch.net/articles/checkcertificate.html
+#
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sfw/bin
+export PATH
+
+# Who to page when an expired certificate is detected (cmdline: -e)
+ADMIN="root"
+
+# Number of days in the warning threshhold (cmdline: -x)
+WARNDAYS=30
+
+# If QUIET is set to TRUE, don't print anything on the console (cmdline: -q)
+QUIET="FALSE"
+
+# Don't send E-mail by default (cmdline: -a)
+ALARM="FALSE"
+
+# Don't run as a Nagios plugin by default (cmdline: -n)
+NAGIOS="FALSE"
+
+# NULL out the PKCSDBPASSWD variable for later use (cmdline: -k)
+PKCSDBPASSWD=""
+
+# Location of system binaries
+AWK=$(which awk)
+DATE=$(which date)
+GREP=$(which grep)
+OPENSSL=$(which openssl)
+PRINTF=$(which printf)
+SED=$(which sed)
+MKTEMP=$(which mktemp)
+
+# Return code used by nagios. Initialize to 0.
+RETCODE=0
+
+# Set the default umask to be somewhat restrictive
+umask 077
+
+#############################################################################
+# Purpose: Convert a date from MONTH-DAY-YEAR to Julian format
+# Acknowledgements: Code was adapted from examples in the book
+# "Shell Scripting Recipes: A Problem-Solution Approach"
+# ( ISBN 1590594711 )
+# Arguments:
+# $1 -> Month (e.g., 06)
+# $2 -> Day (e.g., 08)
+# $3 -> Year (e.g., 2006)
+#############################################################################
+date2julian() {
+
+ if [ "${1} != "" ] && [ "${2} != "" ] && [ "${3}" != "" ]
+ then
+ ## Since leap years add aday at the end of February,
+ ## calculations are done from 1 March 0000 (a fictional year)
+ d2j_tmpmonth=$((12 * ${3} + ${1} - 3))
+
+ ## If it is not yet March, the year is changed to the previous year
+ d2j_tmpyear=$(( ${d2j_tmpmonth} / 12))
+
+ ## The number of days from 1 March 0000 is calculated
+ ## and the number of days from 1 Jan. 4713BC is added
+ echo $(( (734 * ${d2j_tmpmonth} + 15) / 24
+ - 2 * ${d2j_tmpyear} + ${d2j_tmpyear}/4
+ - ${d2j_tmpyear}/100 + ${d2j_tmpyear}/400 + $2 + 1721119 ))
+ else
+ echo 0
+ fi
+}
+
+#############################################################################
+# Purpose: Convert a string month into an integer representation
+# Arguments:
+# $1 -> Month name (e.g., Sep)
+#############################################################################
+getmonth()
+{
+ case ${1} in
+ Jan) echo 1 ;;
+ Feb) echo 2 ;;
+ Mar) echo 3 ;;
+ Apr) echo 4 ;;
+ May) echo 5 ;;
+ Jun) echo 6 ;;
+ Jul) echo 7 ;;
+ Aug) echo 8 ;;
+ Sep) echo 9 ;;
+ Oct) echo 10 ;;
+ Nov) echo 11 ;;
+ Dec) echo 12 ;;
+ *) echo 0 ;;
+ esac
+}
+
+#############################################################################
+# Purpose: Calculate the number of seconds between two dates
+# Arguments:
+# $1 -> Date #1
+# $2 -> Date #2
+#############################################################################
+date_diff()
+{
+ if [ "${1}" != "" ] && [ "${2}" != "" ]
+ then
+ echo $((${2} - ${1}))
+ else
+ echo 0
+ fi
+}
+
+#####################################################################
+# Purpose: Print a line with the expiraton interval
+# Arguments:
+# $1 -> Hostname
+# $2 -> TCP Port
+# $3 -> Status of certification (e.g., expired or valid)
+# $4 -> Date when certificate will expire
+# $5 -> Days left until the certificate will expire
+# $6 -> Issuer of the certificate
+#####################################################################
+prints()
+{
+ if [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
+ then
+ MIN_DATE=$(echo $4 | ${AWK} '{ print $1, $2, $4 }')
+ if [ "${NAGIOS}" == "TRUE" ]
+ then
+ ${PRINTF} "%-35s %-17s %-8s %-11s %-4s %-30s\n" "$1:$2" "$6" "$3" "$MIN_DATE" \|days="$5"
+ else
+ ${PRINTF} "%-35s %-17s %-8s %-11s %-4s %-30s\n" "$1:$2" "$6" "$3" "$MIN_DATE" "$5"
+ fi
+ elif [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
+ then
+ ${PRINTF} "%-35s %-35s %-32s %-17s\n" "$1:$2" "$7" "$8" "$6"
+
+ elif [ "${QUIET}" != "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
+ then
+ MIN_DATE=$(echo $4 | ${AWK} '{ print $1, $2, $4 }')
+ if [ "${NAGIOS}" == "TRUE" ]
+ then
+ ${PRINTF} "%-47s %-12s %-12s %-4s %-30s\n" "$1:$2" "$3" "$MIN_DATE" \|days="$5"
+ else
+ ${PRINTF} "%-47s %-12s %-12s %-4s %-30s\n" "$1:$2" "$3" "$MIN_DATE" "$5"
+ fi
+ elif [ "${QUIET}" != "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
+ then
+ ${PRINTF} "%-35s %-35s %-32s\n" "$1:$2" "$7" "$8"
+ fi
+}
+
+
+####################################################
+# Purpose: Print a heading with the relevant columns
+# Arguments:
+# None
+####################################################
+print_heading()
+{
+ if [ "${NOHEADER}" != "TRUE" ]
+ then
+ if [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
+ then
+ ${PRINTF} "\n%-35s %-17s %-8s %-11s %-4s\n" "Host" "Issuer" "Status" "Expires" "Days"
+ echo "----------------------------------- ----------------- -------- ----------- ----"
+
+ elif [ "${QUIET}" != "TRUE" ] && [ "${ISSUER}" = "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
+ then
+ ${PRINTF} "\n%-35s %-35s %-32s %-17s\n" "Host" "Common Name" "Serial #" "Issuer"
+ echo "----------------------------------- ----------------------------------- -------------------------------- -----------------"
+
+ elif [ "${QUIET}" != "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" != "TRUE" ]
+ then
+ ${PRINTF} "\n%-47s %-12s %-12s %-4s\n" "Host" "Status" "Expires" "Days"
+ echo "----------------------------------------------- ------------ ------------ ----"
+
+ elif [ "${QUIET}" != "TRUE" ] && [ "${NAGIOS}" != "TRUE" ] && [ "${VALIDATION}" == "TRUE" ]
+ then
+ ${PRINTF} "\n%-35s %-35s %-32s\n" "Host" "Common Name" "Serial #"
+ echo "----------------------------------- ----------------------------------- --------------------------------"
+ fi
+ fi
+}
+
+
+##########################################
+# Purpose: Describe how the script works
+# Arguments:
+# None
+##########################################
+usage()
+{
+ echo "Usage: $0 [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]"
+ echo " { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }"
+ echo ""
+ echo " -a : Send a warning message through E-mail"
+ echo " -b : Will not print header"
+ echo " -c cert file : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file"
+ echo " -e E-mail address : E-mail address to send expiration notices"
+ echo " -f cert file : File with a list of FQDNs and ports"
+ echo " -h : Print this screen"
+ echo " -i : Print the issuer of the certificate"
+ echo " -k password : PKCS12 file password"
+ echo " -n : Run as a Nagios plugin"
+ echo " -p port : Port to connect to (interactive mode)"
+ echo " -s commmon name : Server to connect to (interactive mode)"
+ echo " -q : Don't print anything on the console"
+ echo " -v : Only print validation data"
+ echo " -x days : Certificate expiration interval (eg. if cert_date < days)"
+ echo ""
+}
+
+
+##########################################################################
+# Purpose: Connect to a server ($1) and port ($2) to see if a certificate
+# has expired
+# Arguments:
+# $1 -> Server name
+# $2 -> TCP port to connect to
+##########################################################################
+check_server_status() {
+
+
+
+ if [ "_${2}" = "_smtp" -o "_${2}" = "_25" ]
+ then
+ TLSFLAG="-starttls smtp"
+
+ elif [ "_${2}" = "_ftp" -o "_${2}" = "_21" ]
+ then
+ TLSFLAG="-starttls ftp"
+
+ elif [ "_${2}" = "_pop3" -o "_${2}" = "_110" ]
+ then
+ TLSFLAG="-starttls pop3"
+
+ elif [ "_${2}" = "_imap" -o "_${2}" = "_143" ]
+ then
+ TLSFLAG="-starttls imap"
+
+ elif [ "_${2}" = "_submission" -o "_${2}" = "_587" ]
+ then
+ TLSFLAG="-starttls smtp -port ${2}"
+ else
+ TLSFLAG=""
+ fi
+
+ echo "" | ${OPENSSL} s_client -connect ${1}:${2} ${TLSFLAG} 2> ${ERROR_TMP} 1> ${CERT_TMP}
+
+ if ${GREP} -i "Connection refused" ${ERROR_TMP} > /dev/null
+ then
+ prints ${1} ${2} "Connection refused" "Unknown"
+
+ elif ${GREP} -i "gethostbyname failure" ${ERROR_TMP} > /dev/null
+ then
+ prints ${1} ${2} "Cannot resolve domain" "Unknown"
+
+ elif ${GREP} -i "Operation timed out" ${ERROR_TMP} > /dev/null
+ then
+ prints ${1} ${2} "Operation timed out" "Unknown"
+
+ elif ${GREP} -i "ssl handshake failure" ${ERROR_TMP} > /dev/null
+ then
+ prints ${1} ${2} "SSL handshake failed" "Unknown"
+
+ elif ${GREP} -i "connect: Connection timed out" ${ERROR_TMP} > /dev/null
+ then
+ prints ${1} ${2} "Connection timed out" "Unknown"
+
+ else
+ check_file_status ${CERT_TMP} $1 $2
+ fi
+}
+
+#####################################################
+### Check the expiration status of a certificate file
+### Accepts three parameters:
+### $1 -> certificate file to process
+### $2 -> Server name
+### $3 -> Port number of certificate
+#####################################################
+check_file_status() {
+
+ CERTFILE=${1}
+ HOST=${2}
+ PORT=${3}
+
+ ### Check to make sure the certificate file exists
+ if [ ! -r ${CERTFILE} ] || [ -z ${CERTFILE} ]
+ then
+ echo "ERROR: The file named ${CERTFILE} is unreadable or doesn't exist"
+ echo "ERROR: Please check to make sure the certificate for ${HOST}:${PORT} is valid"
+ RETCODE=1
+ return
+ fi
+
+ ### Grab the expiration date from the X.509 certificate
+ if [ "${PKCSDBPASSWD}" != "" ]
+ then
+ # Extract the certificate from the PKCS#12 database, and
+ # send the informational message to /dev/null
+ ${OPENSSL} pkcs12 -nokeys -in ${CERTFILE} \
+ -out ${CERT_TMP} -password pass:${PKCSDBPASSWD} 2> /dev/null
+
+ # Extract the expiration date from the certificate
+ CERTDATE=$(${OPENSSL} x509 -in ${CERT_TMP} -enddate -noout | \
+ ${SED} 's/notAfter\=//')
+
+ # Extract the issuer from the certificate
+ CERTISSUER=$(${OPENSSL} x509 -in ${CERT_TMP} -issuer -noout | \
+ ${AWK} 'BEGIN {RS="/" } $0 ~ /^O=/ \
+ { print substr($0,3,17)}')
+
+ ### Grab the common name (CN) from the X.509 certificate
+ COMMONNAME=$(${OPENSSL} x509 -in ${CERT_TMP} -subject -noout | \
+ ${SED} -e 's/.*CN=//' | \
+ ${SED} -e 's/\/.*//')
+
+ ### Grab the serial number from the X.509 certificate
+ SERIAL=$(${OPENSSL} x509 -in ${CERT_TMP} -serial -noout | \
+ ${SED} -e 's/serial=//')
+ else
+ # Extract the expiration date from the ceriticate
+ CERTDATE=$(${OPENSSL} x509 -in ${CERTFILE} -enddate -noout | \
+ ${SED} 's/notAfter\=//')
+
+ # Extract the issuer from the certificate
+ CERTISSUER=$(${OPENSSL} x509 -in ${CERTFILE} -issuer -noout | \
+ ${AWK} 'BEGIN {RS="/" } $0 ~ /^O=/ { print substr($0,3,17)}')
+
+ ### Grab the common name (CN) from the X.509 certificate
+ COMMONNAME=$(${OPENSSL} x509 -in ${CERTFILE} -subject -noout | \
+ ${SED} -e 's/.*CN=//' | \
+ ${SED} -e 's/\/.*//')
+ ### Grab the serial number from the X.509 certificate
+ SERIAL=$(${OPENSSL} x509 -in ${CERTFILE} -serial -noout | \
+ ${SED} -e 's/serial=//')
+ fi
+
+ ### Split the result into parameters, and pass the relevant pieces to date2julian
+ set -- ${CERTDATE}
+ MONTH=$(getmonth ${1})
+
+ # Convert the date to seconds, and get the diff between NOW and the expiration date
+ CERTJULIAN=$(date2julian ${MONTH#0} ${2#0} ${4})
+ CERTDIFF=$(date_diff ${NOWJULIAN} ${CERTJULIAN})
+
+ if [ ${CERTDIFF} -lt 0 ]
+ then
+ if [ "${ALARM}" = "TRUE" ]
+ then
+ echo "The SSL certificate for ${HOST} \"(CN: ${COMMONNAME})\" has expired!" \
+ | ${MAIL} -s "Certificate for ${HOST} \"(CN: ${COMMONNAME})\" has expired!" ${ADMIN}
+ fi
+
+ prints ${HOST} ${PORT} "Expired" "${CERTDATE}" "${CERTDIFF}" "${CERTISSUER}" "${COMMONNAME}" "${SERIAL}"
+ RETCODE=2
+
+ elif [ ${CERTDIFF} -lt ${WARNDAYS} ]
+ then
+ if [ "${ALARM}" = "TRUE" ]
+ then
+ echo "The SSL certificate for ${HOST} \"(CN: ${COMMONNAME})\" will expire on ${CERTDATE}" \
+ | ${MAIL} -s "Certificate for ${HOST} \"(CN: ${COMMONNAME})\" will expire in ${WARNDAYS}-days or less" ${ADMIN}
+ fi
+ prints ${HOST} ${PORT} "Expiring" "${CERTDATE}" "${CERTDIFF}" "${CERTISSUER}" "${COMMONNAME}" "${SERIAL}"
+ RETCODE=1
+
+ else
+ prints ${HOST} ${PORT} "Valid" "${CERTDATE}" "${CERTDIFF}" "${CERTISSUER}" "${COMMONNAME}" "${SERIAL}"
+ RETCODE=0
+ fi
+}
+
+#################################
+### Start of main program
+#################################
+while getopts abinve:f:c:hk:p:s:qx: option
+do
+ case "${option}"
+ in
+ a) ALARM="TRUE";;
+ b) NOHEADER="TRUE";;
+ c) CERTFILE=${OPTARG};;
+ e) ADMIN=${OPTARG};;
+ f) SERVERFILE=$OPTARG;;
+ h) usage
+ exit 1;;
+ i) ISSUER="TRUE";;
+ k) PKCSDBPASSWD=${OPTARG};;
+ n) NAGIOS="TRUE";;
+ p) PORT=$OPTARG;;
+ s) HOST=$OPTARG;;
+ q) QUIET="TRUE";;
+ v) VALIDATION="TRUE";;
+ x) WARNDAYS=$OPTARG;;
+ \?) usage
+ exit 1;;
+ esac
+done
+
+if [ -f /usr/bin/mailx ]
+then
+ MAIL="/usr/bin/mailx"
+else
+ if [ "${ALARM}" == "FALSE" ]
+ then
+ MAIL=$(which mail 2>/dev/null)
+ else
+ MAIL=$(which mail)
+ fi
+fi
+
+
+### Check to make sure a openssl utility is available
+if [ ! -f ${OPENSSL} ]
+then
+ echo "ERROR: The openssl binary does not exist in ${OPENSSL}."
+ echo "FIX: Please modify the \${OPENSSL} variable in the program header."
+ exit 1
+fi
+
+### Check to make sure a date utility is available
+if [ ! -f ${DATE} ]
+then
+ echo "ERROR: The date binary does not exist in ${DATE} ."
+ echo "FIX: Please modify the \${DATE} variable in the program header."
+ exit 1
+fi
+
+### Check to make sure a grep utility is available
+if [ ! -f ${GREP} ]
+then
+ echo "ERROR: The grep binary does not exist in ${GREP} ."
+ echo "FIX: Please modify the \${GREP} variable in the program header."
+ exit 1
+fi
+
+### Check to make sure the mktemp and printf utilities are available
+if [ ! -f ${MKTEMP} ] || [ ! -f ${PRINTF} ]
+then
+ echo "ERROR: Unable to locate the mktemp or printf binary."
+ echo "FIX: Please modify the \${MKTEMP} and \${PRINTF} variables in the program header."
+ exit 1
+fi
+
+### Check to make sure the sed and awk binaries are available
+if [ ! -f ${SED} ] || [ ! -f ${AWK} ]
+then
+ echo "ERROR: Unable to locate the sed or awk binary."
+ echo "FIX: Please modify the \${SED} and \${AWK} variables in the program header."
+ exit 1
+fi
+
+### CHeck to make sure a mail client is available it automated notifcations are requested
+if [ "${ALARM}" = "TRUE" ] && [ ! -f ${MAIL} ]
+then
+ echo "ERROR: You enabled automated alerts, but the mail binary could not be found."
+ echo "FIX: Please modify the ${MAIL} variable in the program header."
+ exit 1
+fi
+
+# Place to stash temporary files
+CERT_TMP=$($MKTEMP /var/tmp/cert.XXXXXX)
+ERROR_TMP=$($MKTEMP /var/tmp/error.XXXXXX)
+
+### Baseline the dates so we have something to compare to
+MONTH=$(${DATE} "+%m")
+DAY=$(${DATE} "+%d")
+YEAR=$(${DATE} "+%Y")
+NOWJULIAN=$(date2julian ${MONTH#0} ${DAY#0} ${YEAR})
+
+### Touch the files prior to using them
+if [ ! -z "${CERT_TMP}" ] && [ ! -z "${ERROR_TMP}" ]
+then
+ touch ${CERT_TMP} ${ERROR_TMP}
+else
+ echo "ERROR: Problem creating temporary files"
+ echo "FIX: Check that mktemp works on your system"
+ exit 1
+fi
+
+### If a HOST and PORT were passed on the cmdline, use those values
+if [ "${HOST}" != "" ] && [ "${PORT}" != "" ]
+then
+ print_heading
+ check_server_status "${HOST}" "${PORT}"
+
+### If a file is passed to the "-f" option on the command line, check
+### each certificate or server / port combination in the file to see if
+### they are about to expire
+elif [ -f "${SERVERFILE}" ]
+then
+ print_heading
+ while read HOST PORT
+ do
+ if [ "`echo ${HOST} | cut -c1`" = "#" ]
+ then
+ :
+ elif [ "$PORT" = "FILE" ]
+ then
+ check_file_status ${HOST} "FILE" "${HOST}"
+ else
+ check_server_status "${HOST}" "${PORT}"
+ fi
+
+ done < ${SERVERFILE}
+
+### Check to see if the certificate in CERTFILE is about to expire
+elif [ "${CERTFILE}" != "" ]
+then
+ print_heading
+ check_file_status ${CERTFILE} "FILE" "${CERTFILE}"
+
+### There was an error, so print a detailed usage message and exit
+else
+ usage
+ exit 1
+fi
+
+### Remove the temporary files
+rm -f ${CERT_TMP} ${ERROR_TMP}
+
+### Exit with a success indicator
+if [ "${NAGIOS}" = "TRUE" ]; then
+ exit $RETCODE
+else
+ exit 0
+fi
diff --git a/manifests/init.pp b/manifests/init.pp
index 93f2693..bde758a 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -22,6 +22,27 @@ class ssl {
source => "puppet://$server/files/keys/ssl/cert.pem",
require => File["/etc/ssl/private"],
}
+
+ file { "/usr/local/bin/ssl-cert-check":
+ ensure => present,
+ owner => "root",
+ group => "root",
+ mode => 755,
+ source => "puppet://$server/modules/ssl/ssl-cert-check",
+ }
+
+ define check($port = '443', $interval = '60', $email = 'root',
+ $hour = '0', $minute = '0', $weekday = '0') {
+ cron { "ssl-cert-check-${name}":
+ command => "ssl-cert-check -a -s ${name} -p ${port} -q -x ${interval} -e ${email}",
+ user => root,
+ hour => $hour,
+ minute => $minute,
+ weekday => $weekday,
+ ensure => present,
+ require => File["/usr/local/bin/ssl-cert-check"],
+ }
+ }
}
class ssl::mail inherits ssl {