#!/usr/bin/perl -w # Check peer certificate validity for Zabbix # Require perl module : IO::Socket, Net::SSLeay, Date::Parse # Require unix programs : openssl, echo, sendmail # # Based on sslexpire from Emmanuel Lacour # # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2, or (at your option) any # later version. # # This file is distributed in the hope that it will be # useful, but WITHOUT ANY WARRANTY; without even the implied warranty # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this file; see the file COPYING. If not, write to the Free # Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA # 02110-1301, USA. # use strict; use IO::Socket; use Net::SSLeay; use Getopt::Long; use Date::Parse; Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::randomize(); # Default values my $opensslpath = "/usr/bin/openssl"; my $host = '127.0.0.1'; my $port = '443'; my %opts; GetOptions (\%opts, 'host|h=s', 'port|p=s', 'help', ); if ($opts{'host'}) { $host = $opts{'host'}; } if ($opts{'port'}){ $port = $opts{'port'}; } if ($opts{'help'}) { &usage; } # Print program usage sub usage { print "Usage: sslexpire [OPTION]... -h, --host=HOST check this host -p, --port=TCPPORT check this port on the previous host --help print this help, then exit "; exit; } # This will return the expiration date sub getExpire { my ($l_host,$l_port) = @_; my ($l_expdate,$l_comment); # Connect to $l_host:$l_port my $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $l_host, PeerPort => $l_port ); # If we connected successfully if ($socket) { # Intiate ssl my $l_ctx = Net::SSLeay::CTX_new(); my $l_ssl = Net::SSLeay::new($l_ctx); Net::SSLeay::set_fd($l_ssl, fileno($socket)); my $res = Net::SSLeay::connect($l_ssl); # Get peer certificate my $l_x509 = Net::SSLeay::get_peer_certificate($l_ssl); if ($l_x509) { my $l_string = Net::SSLeay::PEM_get_string_X509($l_x509); # Get the expiration date, using openssl $l_expdate = `echo "$l_string" | $opensslpath x509 -enddate -noout 2>&1`; $l_expdate =~ s/.*=//; chomp($l_expdate); } else { $l_expdate = 1; } # Close and cleanup Net::SSLeay::free($l_ssl); Net::SSLeay::CTX_free($l_ctx); close $socket; } else { $l_expdate = 1; } return $l_expdate; } # Print remaining days before expiration sub report { # Convert date into epoch using date command my ($l_expdate) = @_; if ($l_expdate ne "1") { # The current date my $l_today = time; my $l_epochdate = str2time($l_expdate); # Calculate diff between expiration date and today my $l_diff = ($l_epochdate - $l_today)/(3600*24); # Report if needed printf "%.0f\n", $l_diff; } else { print "Unable to read certificate!\n"; exit (1); } } # Get expiration date my $expdate = getExpire($host,$port); # Report report("$expdate");