#! /usr/bin/env ruby # # check-certificate-expiry # # DESCRIPTION: # Checks expiration date on certificate. If no certificate is passed it checks # all certs in account. Will use default provider if no access key and secret are passed # # OUTPUT: # plain-text # # PLATFORMS: # Linux # # DEPENDENCIES: # gem: aws-sdk # gem: sensu-plugin # # USAGE: # ./check-certificate-expiry.rb --server-certificate-name ${cert_name} --warning 45 --critical 30 # # NOTES: # Based heavily on Yohei Kawahara's check-ec2-network # # LICENSE: # Zach Bintliff # Released under the same terms as Sensu (the MIT license); see LICENSE # for details. # require 'sensu-plugin/check/cli' require 'aws-sdk' class CheckCertificateExpiry < Sensu::Plugin::Check::CLI option :aws_access_key, short: '-a AWS_ACCESS_KEY', long: '--aws-access-key AWS_ACCESS_KEY', description: "AWS Access Key. Either set ENV['AWS_ACCESS_KEY'] or provide it as an option. Uses Default Credential if none are passed", default: ENV['AWS_ACCESS_KEY'] option :aws_secret_access_key, short: '-k AWS_SECRET_KEY', long: '--aws-secret-access-key AWS_SECRET_KEY', description: "AWS Secret Access Key. Either set ENV['AWS_SECRET_KEY'] or provide it as an option. Uses Default Credential if none are passed", default: ENV['AWS_SECRET_KEY'] option :aws_region, short: '-r AWS_REGION', long: '--aws-region REGION', description: 'AWS Region (defaults to us-east-1).', default: 'us-east-1' option :server_certificate_name, short: '-n CERTIFICATE_NAME', long: '--server-certificate-name CERTIFICATE_NAME', description: 'Certificate to check. Checks all if not passed' option :warning, short: '-w N', long: '--warning VALUE', description: 'Issue a warning if the Cert will expire in under VALUE days' option :critical, short: '-c N', long: '--critical VALUE', description: 'Issue a critical if the Cert will expire in under VALUE days', default: 0 def aws_config { access_key_id: config[:aws_access_key], secret_access_key: config[:aws_secret_access_key], region: config[:aws_region] } end def aws_client(opts = {}) config = aws_config.merge(opts) @aws_client ||= Aws::IAM::Client.new config end def get_cert(cert_name) aws_client.get_server_certificate(server_certificate_name: cert_name).server_certificate.server_certificate_metadata end def check_expiry(cert, reportstring, warnflag, critflag) expiration = cert.expiration.gmtime current_time = Time.now.gmtime time_to_expiry = (expiration - current_time).to_i / (24 * 60 * 60) ## Seconds to days, integer division if time_to_expiry <= config[:critical].to_i critflag = true reportstring += if time_to_expiry < 1 " #{cert.server_certificate_name} certificate is expired!" else " #{cert.server_certificate_name} certificate expires in #{time_to_expiry} days;" end elsif time_to_expiry <= config[:warning].to_i warnflag = true reportstring += " #{cert.server_certificate_name} certificate expires in #{time_to_expiry} days;" end [reportstring, warnflag, critflag] end def run warnflag = false critflag = false reportstring = '' if config[:server_certificate_name].nil? aws_client.list_server_certificates.server_certificate_metadata_list.each do |cert| reportstring, warnflag, critflag = check_expiry(cert, reportstring, warnflag, critflag) end else reportstring, warnflag, critflag = check_expiry(get_cert(config[:server_certificate_name]), reportstring, warnflag, critflag) end if critflag critical reportstring elsif warnflag warning reportstring else ok 'All checked Certificates are ok' end end end