summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/files/icinga2_external_commands/check_ocsp
blob: 97885e28b239837a44515babb0cc841925765c8f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
#! /bin/bash
# vim: noet si ai
# @(#)(CAcert) $Id: check_ocsp,v 1.1 2018/08/18 09:42:58 wytze Exp $
# check_ocsp - icinga2 plugin for checking status of OCSP responder service

set -e

#RESPONDER=http://ocsp1.cacert.org:80
#SERIAL=0xbb3c6
#CLASS=class1

PROG=$(basename "$0")

usage()
{
	echo "Usage: ${PROG} -r ocsp-responder -s serial -c class"
	exit 1
}

if args=$(getopt -o r:s:c: --long responder:,serial:,class: -n "${PROG}" -- "$@")
then
	eval set -- "${args}"
else
	usage
fi

while true
do
	case "$1" in
		-r|--responder)
			shift
			RESPONDER=$1
			shift ;;
		-s|--serial)
			shift
			SERIAL=$1
			shift ;;
		-c|--class)
			shift
			CLASS="$1"
			shift ;;
		--)
			shift
			break ;;
		*)
			echo "${PROG}: Internal error!" 1>&2
			exit 1 ;;
	esac
done
test $# -eq 0 || usage

test -z "${RESPONDER}" && usage
test -z "${SERIAL}"    && usage
test -z "${CLASS}"     && usage

if [ -d /etc/pki/tls/certs ]
then
	# Fedora setup
	CAPATH=/etc/pki/tls/certs/ca.d
#	CAFILE=/etc/pki/tls/certs/cacert-bundle.crt
	CLASS1=${CAPATH}/../cacert-root.crt
	CLASS3=${CAPATH}/../cacert-class3.crt
elif [ -d /var/lib/ca-certificates ]
then
	# OpenSUSE setup
	CAPATH=/var/lib/ca-certificates/openssl
#	CAFILE=/var/lib/ca-certificates/ca-bundle.pem
	CLASS1=${CAPATH}/CA_Cert_Signing_Authority.pem
	CLASS3=${CAPATH}/CAcert_Class_3_Root.pem
elif [ -d /usr/share/ca-certificates/CAcert ]
then
	# Debian setup
	CAPATH=/etc/ssl/certs
	CLASS1=${CAPATH}/root_X0F.pem
	CLASS3=${CAPATH}/cacert_class3_2021.pem
else
	# unsupported
	echo "$0: unsupported OS environment" 1>&2
	echo "$0: CAPATH, CLASS1 and CLASS3 are undefined" 1>&2
	exit 1
fi

case ${CLASS} in
    class1)
	ISSUER=${CLASS1}
	;;
    class3)
	ISSUER=${CLASS3}
	;;
    *)
	echo "Bad class specification: ${CLASS}"
	exit 3
	;;
esac

if [ ! -f "${ISSUER}" ]; then
    echo "CRITICAL: issuer certificate file ${ISSUER} not found."
    exit 2
fi

TMP=$(mktemp)
ERR=${TMP}-err
trap 'rm -f ${TMP} ${ERR}' 0 1 2 3 15

if ! openssl ocsp -issuer "${ISSUER}" -serial "${SERIAL}" -CApath "${CAPATH}" -url "${RESPONDER}" -resp_text >"${TMP}" 2>&1; then
    echo "CRITICAL: openssl ocsp command failed"
    echo
    echo "captured output:"
    cat "${TMP}"
    exit 2
fi

if grep -q "${SERIAL}: good" "${TMP}"; then
    echo "OK: OCSP check successful, certificate OK"
    exit 0
fi

if grep -q "${SERIAL}: revoked" "${TMP}"; then
    echo "WARNING: OCSP check successful, certificate revoked"
    exit 1
fi

echo "UNKNOWN: unexpected response"
echo
echo "captured output:"
cat "${TMP}"
exit 3

##Response Verify Failure
##17914:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:certificate has expired
##0xbb3c6: good
##	This Update: Aug 22 09:14:14 2013 GMT
##	Next Update: Aug 24 10:27:55 2013 GMT
##
##Response verify OK
##0xbb3c6: good
##        This Update: Aug 22 15:02:02 2013 GMT
##        Next Update: Aug 24 15:13:25 2013 GMT