Add scripts to monitor PHPki certificates

tags/zabbix-agent-addons-0.2.20-1 0.1.12_el5
Daniel Berteaud 11 years ago
parent ff2021b1a9
commit 7083976d5a
  1. 13
      conf/phpki_certs.conf
  2. 33
      zabbix_scripts/check_certs_sudo
  3. 49
      zabbix_scripts/disco_certs_sudo

@ -0,0 +1,13 @@
# Discovery of certificates and their status
# Key: pki.certs.discovery
# Macro:
# - {#CRTCN} : contains the common name
# - {#CRTSERIAL} : the serial number
# - {#CRTSTATUS} : the status, as a string (valid, revoked, expired)
# Available arguments:
# --index : path to the index file
# --path : directory where certificatres are stored, certificates should be named $serial.pem (in PEM format)
UserParameter=pki.certs.discovery,/usr/bin/sudo /var/lib/zabbix/bin/disco_certs_sudo --index=/opt/phpki/phpki-store/CA/index.txt --path=/opt/phpki/phpki-store/CA/newcerts/
UserParameter=pki.certs[*],/usr/bin/sudo /var/lib/zabbix/bin/check_certs_sudo --what=$1 --cert=$2

@ -0,0 +1,33 @@
#!/usr/bin/perl -w
# Check a PEM certificate
# --what: what to monitor. Only expire is supported for now, and returns the number of day before expiration
# --cert: the path to the certificate you want to check
use strict;
use warnings;
use Crypt::OpenSSL::X509;
use Date::Parse;
use Getopt::Long;
my $what = 'expire';
my $cert = '';
GetOptions(
"cert=s" => \$cert,
"what=s" => \$what
);
die "Usage: $0 --what=status --cert=/path/to/pem/certificate\n" unless
(-f $cert);
$cert = Crypt::OpenSSL::X509->new_from_file( "$cert" );
my $expire_in = int ((str2time($cert->notAfter())-time())/(3600*24));
if ($what eq 'expire'){
print $expire_in;
}
else{
die "Only expire is supported for now";
}

@ -0,0 +1,49 @@
#!/usr/bin/perl -w
use strict;
use warnings;
use Crypt::OpenSSL::X509;
use Date::Parse;
use Getopt::Long;
use JSON;
my $index = '/opt/phpki/phpki-store/CA/index.txt';
my $path = '/opt/phpki/phpki-store/CA/newcerts';
GetOptions(
"index=s" => \$index,
"path=s" => \$path
);
open INDEX, "$index" or die "Couldn't open $index\n";
my $json;
foreach my $l (<INDEX>){
next unless $l =~ m/^([VR])\t\d+Z\t(\d+Z)?\t(\w+)\tunknown\t.*/;
my $status = $1;
my $serial = $3;
my $cert = Crypt::OpenSSL::X509->new_from_file( "$path/$serial.pem" );
my $expire_in = int ((str2time($cert->notAfter())-time())/(3600*24));
if ($status eq 'V'){
$status = 'valid';
}
elsif ($expire_in lt 0){
$status = 'expired';
}
else{
$status = 'revoked';
}
my $subject = $cert->subject;
$subject =~ m/.*\sCN=(.*),/;
my $cn = $1;
push @{$json->{data}}, {
"{#CRTCN}" => $cn,
"{#CRTSERIAL}" => $serial,
"{#CRTSTATUS}" => $status,
};
}
close INDEX;
print to_json($json);
Loading…
Cancel
Save