summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2021-05-24 11:47:54 +0200
committerJan Dittberner <jandd@cacert.org>2021-05-24 11:47:54 +0200
commit04941fa806e68029238de7d152a7bfe72a5d246d (patch)
tree01e549d3574fa011d1587dc53ce2b46fafaae05d
parentb4f8c0a230ad2892a578da87ce48cdbfde16c58e (diff)
downloadcacert-puppet-04941fa806e68029238de7d152a7bfe72a5d246d.tar.gz
cacert-puppet-04941fa806e68029238de7d152a7bfe72a5d246d.tar.xz
cacert-puppet-04941fa806e68029238de7d152a7bfe72a5d246d.zip
Make ssl_cert_cacert available on extmon
This adds the ssl_cert_cacert CheckCommand definition globally.
-rw-r--r--sitemodules/profiles/files/icinga2_external_commands/external-commands.conf213
1 files changed, 213 insertions, 0 deletions
diff --git a/sitemodules/profiles/files/icinga2_external_commands/external-commands.conf b/sitemodules/profiles/files/icinga2_external_commands/external-commands.conf
index 3e5c38f..ae04c8d 100644
--- a/sitemodules/profiles/files/icinga2_external_commands/external-commands.conf
+++ b/sitemodules/profiles/files/icinga2_external_commands/external-commands.conf
@@ -21,3 +21,216 @@ object CheckCommand "ocsp" {
}
}
}
+
+object CheckCommand "ssl_cert_cacert" {
+ import "ipv4-or-ipv6"
+
+ command = [ PluginContribDir + "/check_ssl_cert" ]
+
+ arguments = {
+ "-H" = {
+ value = "$ssl_cert_address$"
+ description = "The host's address"
+ required = true
+ }
+ "-p" = {
+ value = "$ssl_cert_port$"
+ description = "TCP port number (default: 443)"
+ }
+ "-f" = {
+ value = "$ssl_cert_file$"
+ description = "Local file path (works with -H localhost only)"
+ }
+ "-w" = {
+ value = "$ssl_cert_warn$"
+ description = "Minimum number of days a certificate has to be valid"
+ }
+ "-c" = {
+ value = "$ssl_cert_critical$"
+ description = "Minimum number of days a certificate has to be valid to issue a critical status"
+ }
+ "-n" = {
+ value = "$ssl_cert_cn$"
+ description = "Pattern to match the CN of the certificate"
+ }
+ "--altnames" = {
+ set_if = "$ssl_cert_altnames$"
+ description = "Matches the pattern specified in -n with alternate"
+ }
+ "-i" = {
+ value = "$ssl_cert_issuer$"
+ description = "Pattern to match the issuer of the certificate"
+ }
+ "-o" = {
+ value = "$ssl_cert_org$"
+ description = "Pattern to match the organization of the certificate"
+ }
+ "-e" = {
+ value = "$ssl_cert_email$"
+ description = "Pattern to match the email address contained in the certificate"
+ }
+ "-N" = {
+ set_if = "$ssl_cert_match_host$"
+ description = "Match CN with the host name"
+ }
+ "--serial" = {
+ value = "$ssl_cert_serial$"
+ description = "Pattern to match the serial number"
+ }
+ "-A" = {
+ set_if = "$ssl_cert_noauth$"
+ description = "Ignore authority warnings (expiration only)"
+ }
+ "-s" = {
+ set_if = "$ssl_cert_selfsigned$"
+ description = "Allow self-signed certificate"
+ }
+ "--sni" = {
+ value = "$ssl_cert_sni$"
+ description = "Sets the TLS SNI (Server Name Indication) extension"
+ }
+ "-t" = {
+ value = "$ssl_cert_timeout$"
+ description = "Seconds before connection times out (default: 15)"
+ }
+ "-P" = {
+ value = "$ssl_cert_protocol$"
+ description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
+ }
+ "-C" = {
+ value = "$ssl_cert_clientssl_cert$"
+ description = "Use client certificate to authenticate"
+ }
+ "--clientpass" = {
+ value = "$ssl_cert_clientpass$"
+ description = "Set passphrase for client certificate"
+ }
+ "-L" = {
+ value = "$ssl_cert_ssllabs$"
+ description = "SSL Labs assestment"
+ }
+ "--ignore-ssl-labs-cache" = {
+ set_if = "$ssl_cert_ssllabs_nocache$"
+ description = "Forces a new check by SSL Labs"
+ }
+ "-r" = {
+ value = "$ssl_cert_rootssl_cert$"
+ description = "Root certificate or directory to be used for certificate validation"
+ }
+ "--ssl2" = {
+ set_if = {{
+ return macro("$ssl_cert_ssl_version$") == "ssl2"
+ }}
+ }
+ "--ssl3" = {
+ set_if = {{
+ return macro("$ssl_cert_ssl_version$") == "ssl3"
+ }}
+ }
+ "--tls1" = {
+ set_if = {{
+ return macro("$ssl_cert_ssl_version$") == "tls1"
+ }}
+ }
+ "--tls1_1" = {
+ set_if = {{
+ return macro("$ssl_cert_ssl_version$") == "tls1_1"
+ }}
+ }
+ "--tls1_2" = {
+ set_if = {{
+ return macro("$ssl_cert_ssl_version$") == "tls1_2"
+ }}
+ }
+ "--tls1_3" = {
+ set_if = {{
+ return macro("$ssl_cert_ssl_version$") == "tls1_3"
+ }}
+ }
+ "--no_ssl2" = {
+ set_if = {{
+ var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+ if (typeof(disable_versions) == String) {
+ disable_versions = [ disable_versions ]
+ }
+ return "ssl2" in disable_versions
+ }}
+ }
+ "--no_ssl3" = {
+ set_if = {{
+ var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+ if (typeof(disable_versions) == String) {
+ disable_versions = [ disable_versions ]
+ }
+ return "ssl3" in disable_versions
+ }}
+ }
+ "--no_tls1" = {
+ set_if = {{
+ var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+ if (typeof(disable_versions) == String) {
+ disable_versions = [ disable_versions ]
+ }
+ return "tls1" in disable_versions
+ }}
+ }
+ "--no_tls1_1" = {
+ set_if = {{
+ var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+ if (typeof(disable_versions) == String) {
+ disable_versions = [ disable_versions ]
+ }
+ return "tls1_1" in disable_versions
+ }}
+ }
+ "--no_tls1_2" = {
+ set_if = {{
+ var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+ if (typeof(disable_versions) == String) {
+ disable_versions = [ disable_versions ]
+ }
+ return "tls1_2" in disable_versions
+ }}
+ }
+ "--no_tls1_3" = {
+ set_if = {{
+ var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+ if (typeof(disable_versions) == String) {
+ disable_versions = [ disable_versions ]
+ }
+ return "tls1_3" in disable_versions
+ }}
+ }
+ "--ecdsa" = {
+ set_if = {{
+ return macro("$ssl_cert_cipher$") == "ecdsa"
+ }}
+ description = "Cipher selection: force ECDSA authentication"
+ }
+ "--rsa" = {
+ set_if = {{
+ return macro("$ssl_cert_cipher$") == "rsa"
+ }}
+ description = "Cipher selection: force RSA authentication"
+ }
+ "--ignore-sig-alg" = {
+ set_if = "$ssl_cert_ignore_signature$"
+ description = "Do not check if the certificate was signed with SHA1 od MD5"
+ }
+ "--ignore-exp" = {
+ set_if = "$ssl_cert_ignore_expiration$"
+ description = "Ignore expiration date"
+ }
+ "--ignore-ocsp" = {
+ set_if = "$ssl_cert_ignore_ocsp$"
+ description = "Do not check revocation with OCSP"
+ }
+ "--ignore-sct" = {
+ set_if = "$ssl_cert_ignore_sct$"
+ description = "Do not check for signed certificate timestamps (SCT)"
+ }
+ }
+
+ vars.ssl_cert_address = "$check_address$"
+ vars.ssl_cert_port = 443
+}