blob: be3f0f07c768828c6b6076eb4c8a545300e71c77 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
#! /bin/bash
# vim: noet si ai
# @(#)(CAcert) $Id: check_ocsp,v 1.1 2018/08/18 09:42:58 wytze Exp $
# check_ocsp - icinga2 plugin for checking status of OCSP responder service
set -e
#RESPONDER=http://ocsp1.cacert.org:80
#SERIAL=0xbb3c6
#CLASS=class1
PROG=$(basename "$0")
usage()
{
echo "Usage: ${PROG} -r ocsp-responder -s serial -c class"
exit 1
}
if args=$(getopt -o r:s:c: --long responder:,serial:,class: -n "${PROG}" -- "$@")
then
eval set -- "${args}"
else
usage
fi
while true
do
case "$1" in
-r|--responder)
shift
RESPONDER=$1
shift ;;
-s|--serial)
shift
SERIAL=$1
shift ;;
-c|--class)
shift
CLASS="$1"
shift ;;
--)
shift
break ;;
*)
echo "${PROG}: Internal error!" 1>&2
exit 1 ;;
esac
done
test $# -eq 0 || usage
test -z "${RESPONDER}" && usage
test -z "${SERIAL}" && usage
test -z "${CLASS}" && usage
if [ -d /etc/pki/tls/certs ]
then
# Fedora setup
CAPATH=/etc/pki/tls/certs/ca.d
# CAFILE=/etc/pki/tls/certs/cacert-bundle.crt
CLASS1=${CAPATH}/../cacert-root.crt
CLASS3=${CAPATH}/../cacert-class3.crt
elif [ -d /var/lib/ca-certificates ]
then
# OpenSUSE setup
CAPATH=/var/lib/ca-certificates/openssl
# CAFILE=/var/lib/ca-certificates/ca-bundle.pem
CLASS1=${CAPATH}/CA_Cert_Signing_Authority.pem
CLASS3=${CAPATH}/CAcert_Class_3_Root.pem
elif [ -d /usr/share/ca-certificates/CAcert ]
then
# Debian setup
CAPATH=/etc/ssl/certs
CLASS1=${CAPATH}/root_X0F.pem
CLASS3=${CAPATH}/cacert_class3_2021.pem
else
# unsupported
echo "$0: unsupported OS environment" 1>&2
echo "$0: CAPATH, CLASS1 and CLASS3 are undefined" 1>&2
exit 1
fi
case ${CLASS} in
class1)
ISSUER=${CLASS1}
;;
class3)
ISSUER=${CLASS3}
;;
*)
echo "Bad class specification: ${CLASS}"
exit 3
;;
esac
TMP=$(mktemp)
ERR=${TMP}-err
trap 'rm -f ${TMP} ${ERR}' 0 1 2 3 15
openssl ocsp -issuer "${ISSUER}" -serial "${SERIAL}" -CApath "${CAPATH}" -url "${RESPONDER}" >"${TMP}" 2>&1
awk '
NR == 1 {
response = $0
next
}
/This Update:/ {
next
}
/Next Update:/ {
next
}
{
answer = answer " " $0;
}
END {
if (response != "Response verify OK")
exitcode = 2
else
exitcode = 0
print response " " answer;
exit(exitcode)
}
' "${TMP}"
EXITCODE=$?
rm -f "${TMP}"
exit ${EXITCODE}
##Response Verify Failure
##17914:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:certificate has expired
##0xbb3c6: good
## This Update: Aug 22 09:14:14 2013 GMT
## Next Update: Aug 24 10:27:55 2013 GMT
##
##Response verify OK
##0xbb3c6: good
## This Update: Aug 22 15:02:02 2013 GMT
## Next Update: Aug 24 15:13:25 2013 GMT
|
