Add scripts/tls_certificate_check.sh
This commit is contained in:
@@ -0,0 +1,87 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Check HTTPS certificate expiration for one or more domains.
|
||||
#
|
||||
# This script is suitable for manual audits or scheduled checks. It exits with
|
||||
# code 2 when any certificate expires within the warning threshold.
|
||||
#
|
||||
# Usage:
|
||||
# bash tls_certificate_check.sh git.elevartech.com.br
|
||||
# bash tls_certificate_check.sh --warning-days 30 example.com api.example.com
|
||||
#
|
||||
# Options:
|
||||
# --warning-days N Warn when a certificate expires in N days or less. Default: 21.
|
||||
# --port N TLS port to check. Default: 443.
|
||||
# --help Show this help message.
|
||||
|
||||
set -Eeuo pipefail
|
||||
|
||||
warning_days="21"
|
||||
port="443"
|
||||
domains=()
|
||||
|
||||
usage() {
|
||||
sed -n '2,18p' "$0" | sed 's/^# \{0,1\}//'
|
||||
}
|
||||
|
||||
while [[ "$#" -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--warning-days)
|
||||
warning_days="${2:-}"
|
||||
[[ "$warning_days" =~ ^[0-9]+$ ]] || { printf 'ERROR: --warning-days must be an integer.\n' >&2; exit 1; }
|
||||
shift 2
|
||||
;;
|
||||
--port)
|
||||
port="${2:-}"
|
||||
[[ "$port" =~ ^[0-9]+$ ]] || { printf 'ERROR: --port must be an integer.\n' >&2; exit 1; }
|
||||
shift 2
|
||||
;;
|
||||
--help|-h)
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
*)
|
||||
domains+=("$1")
|
||||
shift
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
command -v openssl >/dev/null 2>&1 || { printf 'ERROR: openssl command not found.\n' >&2; exit 1; }
|
||||
[[ "${#domains[@]}" -gt 0 ]] || { printf 'ERROR: at least one domain is required.\n' >&2; usage >&2; exit 1; }
|
||||
|
||||
now_epoch="$(date +%s)"
|
||||
warning_seconds="$((warning_days * 86400))"
|
||||
status=0
|
||||
|
||||
for domain in "${domains[@]}"; do
|
||||
certificate_end_date="$(
|
||||
printf '' \
|
||||
| openssl s_client -servername "$domain" -connect "${domain}:${port}" 2>/dev/null \
|
||||
| openssl x509 -noout -enddate 2>/dev/null \
|
||||
| sed 's/^notAfter=//'
|
||||
)"
|
||||
|
||||
if [[ -z "$certificate_end_date" ]]; then
|
||||
printf 'CRITICAL: %s:%s certificate could not be read.\n' "$domain" "$port"
|
||||
status=2
|
||||
continue
|
||||
fi
|
||||
|
||||
end_epoch="$(date -d "$certificate_end_date" +%s)"
|
||||
seconds_left="$((end_epoch - now_epoch))"
|
||||
days_left="$((seconds_left / 86400))"
|
||||
|
||||
if [[ "$seconds_left" -le 0 ]]; then
|
||||
printf 'CRITICAL: %s certificate expired on %s.\n' "$domain" "$certificate_end_date"
|
||||
status=2
|
||||
elif [[ "$seconds_left" -le "$warning_seconds" ]]; then
|
||||
printf 'WARNING: %s certificate expires in %s days on %s.\n' "$domain" "$days_left" "$certificate_end_date"
|
||||
status=2
|
||||
else
|
||||
printf 'OK: %s certificate expires in %s days on %s.\n' "$domain" "$days_left" "$certificate_end_date"
|
||||
fi
|
||||
done
|
||||
|
||||
exit "$status"
|
||||
|
||||
Reference in New Issue
Block a user