Add ssl-expiration probe to check if a ssl certificate is about to expire under a specified time. - reed-alert - Lightweight agentless alerting system for server
HTML git clone git://bitreich.org/reed-alert/ git://enlrupgkhuxnvlhsf6lc3fziv5h2hhfrinws65d7roiv6bfj7d652fid.onion/reed-alert/
DIR Log
DIR Files
DIR Refs
DIR Tags
DIR README
DIR LICENSE
---
DIR commit c1bb305f9dd246538db890519a70394b4b7c6d1b
DIR parent 72d28cf74b8fd6ff4c21e0f609ab87bd54ec3f14
HTML Author: Solene Rapenne <solene@perso.pw>
Date: Sat, 20 Oct 2018 20:28:20 +0200
Add ssl-expiration probe to check if a ssl certificate is about to
expire under a specified time.
Contribution from Denis Fondras
Diffstat:
M README | 25 ++++++++++++++++++++++++-
M example-full.lisp | 5 +++++
M probes.lisp | 12 ++++++++++++
3 files changed, 41 insertions(+), 1 deletion(-)
---
DIR diff --git a/README b/README
@@ -294,6 +294,7 @@ This may be the most useful probe because it let the user do any check needed.
Example : `(=> alert command :command "tail -n 10 /var/log/messages | grep -v CRITICAL")`
+
service
-------
Check if a service is started on the system.
@@ -303,6 +304,7 @@ Check if a service is started on the system.
Example : `(=> alert service :name "mysql-server")`
+
file-less-than
--------------
Check if a file has a size less than a specified limit.
@@ -315,9 +317,11 @@ Check if a file has a size less than a specified limit.
Example : `(=> alert file-less-than :path "/var/log/nginx.log" :limit 60)`
+
curl-http-status
----------------
-Do a HTTP request and return an error if the return code isn't 200. Requires curl.
+Do a HTTP request and return an error if the return code isn't
+200. Requires curl.
> Set the url to request.
:url "STRING"
@@ -325,6 +329,25 @@ Do a HTTP request and return an error if the return code isn't 200. Requires cur
> Set the time to wait before aborting.
:timeout INTEGER
+
+ssl-expiration
+--------------------
+Check if a remote SSL certificate expires in less than a specified
+time. Requires openssl.
+
+> Set the hostname for the request.
+ :host "STRING"
+
+> Set the expiration time limit in seconds.
+ :seconds INTEGER
+
+> Set the port for the request (OPTIONAL).
+ :port INTEGER (default to 443)
+
+Example : `(=> alert ssl-expiration :host "domain.local" :seconds (* 7 24 60 60))
+Example : `(=> alert ssl-expiration :host "domain.local" :seconds 86400 :port 6697)
+
+
The configuration file
======================
DIR diff --git a/example-full.lisp b/example-full.lisp
@@ -55,6 +55,11 @@
;; check if web page :url answer under :limit
(=> empty command :command "curl -m 10 http://google.fr/")
+;; check if a certificate is still valid within a time range
+(=> mail ssl-expiration :host "google.fr" :seconds 1296000)
+(=> mail ssl-expiration :host "freenode.net" :seconds (* 7 24 60 60))
+(=> mail ssl-expiration :host "freenode.net" :seconds 1296000 :port 6697)
+
;; we declare a new probe here
(create-probe
check-http-pattern
DIR diff --git a/probes.lisp b/probes.lisp
@@ -120,3 +120,15 @@
(list "curl" "-f"
(format nil "-m~a" (getf params :timeout 5))
(getf params :url))))
+
+(create-probe
+ ssl-expiration
+ (command-return-code
+ (concatenate 'string
+ "echo | openssl s_client -showcerts -servername "
+ (getf params :host) " -connect "
+ (getf params :host) ":" (princ-to-string
+ (getf params :port 443))
+ " 2>/dev/null | openssl x509 -inform pem -noout -checkend "
+ (princ-to-string
+ (getf params :seconds)))))