#!/bin/bash # mdmcertcheck.sh is the script for checking a cert status # author mikedmorto 2021 year export LC_ALL="" export LANG="en_US.UTF-8" VERSION="1.0" CERTLIST="certlist.cfg" CTIMEOUT="1" error(){ echo "-1" exit 1 } JSON="" ##### PARAMETERS##### METRIC="$1" ITEM="$2" CERT_DOMAIN="" CERT_IP="" CERT_PORT="" CERT_BODY="" parse_item(){ TITEM=$1 #parse item #check empty item if [ -z "$TITEM" ] then error fi CERT_DOMAIN=`echo $ITEM | awk -F"|" '{print $1}'` CERT_IP=`echo $ITEM | awk -F"|" '{print $2}'` CERT_PORT=`echo $ITEM | awk -F"|" '{print $3}'` } get_cert(){ if ! CERT_BODY=$( echo | timeout "$CTIMEOUT" openssl s_client -servername "$CERT_DOMAIN" -verify_hostname "$CERT_DOMAIN" -connect "$CERT_IP":"$CERT_PORT" 2>/dev/null ) then error fi } case "$METRIC" in discovery) #records from the config file RECS=`cat $CERTLIST | awk -F: '/^[^#]/ { print $1 }' | grep -e "^cert=.*" | cut -f 2 -d "="` JSON="{ \"data\":[" # append data for REC_I in ${RECS}; do JSON=${JSON}" {\"{#CERT}\":\"${REC_I}\"}," done # delete last simbol and add the end JSON=${JSON::-1} JSON=${JSON}"]}" echo ${JSON} exit 0 ;; isexist) #validating the cert parse_item $ITEM get_cert # if get_cert has not en error then all is ok. echo 1 ;; valid) #validating the cert parse_item $ITEM get_cert # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:' | sed -n 1p | sed 's/^ *//' | tr -s ' ' | cut -d' ' -f4 ) if [ "$RET" -eq "0" ]; then echo "1"; else echo "0"; fi ;; valid_status) #validating the cert parse_item $ITEM get_cert # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one RET=$( echo "$CERT_BODY" | grep -E '^ *Verify return code:') echo $RET; ;; expire) #calculate expire days parse_item $ITEM get_cert expire_date=$( echo "$CERT_BODY" | openssl x509 -noout -dates | grep '^notAfter' | cut -d'=' -f2 ) expire_date_epoch=$(date -d "$expire_date" +%s) || error "Failed to get expire date" current_date_epoch=$(date +%s) RET=$(( (expire_date_epoch - current_date_epoch)/(3600*24) )) echo $RET ;; certholder) #get cert holder string parse_item $ITEM get_cert # Note: new openssl versions can print multiple return codes for post-handshake session tickets, so we need to get only the first one RET=$( echo "$CERT_BODY" | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Issuer: *//p' | sed -n 's/.*CN=*//p') echo $RET; ;; script.version) echo $VERSION ;; help) echo "please use these params { discovery - discovery items from config file isexist - the script has access to server with cert valid - the cert is valid (1|0) valid_status - the cert status in full text expire - how many days for an unvalid state certholder - certholder text script.version - current version of this script }" ;; *) echo "" ;; esac