check_sslcert

#!/usr/bin/env python3
#-------------------------------------------------------------------------------

import sys
import os
import subprocess
import argparse
import io
import socket
import ssl
import collections
import traceback
import datetime

#-------------------------------------------------------------------------------

_candebug = False
def candebug():
    global _candebug
    return _candebug
def setcandebug(value):
    global _candebug
    _candebug = value

def infomsg(msg):
    if candebug() == True:
        print(msg, flush=True)

def exitnagios(status,message):
    if status=="OK":
        exitcode = 0
    elif status=="WARNING":
        exitcode = 1
    elif status=="CRITICAL":
        exitcode = 2
    elif status=="UNKNOWN":
        exitcode = 3
    else:
        exitcode = 4
    print(status+": "+message, flush=True)
    sys.exit(exitcode)

#-------------------------------------------------------------------------------

original_getaddrinfo = socket.getaddrinfo

def forced_ipv6_gai_family(*args, **kwargs):
    global original_getaddrinfo
    responses = original_getaddrinfo(*args, **kwargs)
    return [response
            for response in responses
            if response[0] == socket.AF_INET6]

def forced_ipv4_gai_family(*args, **kwargs):
    global original_getaddrinfo
    responses = original_getaddrinfo(*args, **kwargs)
    return [response
            for response in responses
            if response[0] == socket.AF_INET]

#-------------------------------------------------------------------------------

def dosslcertcheck(protocol,hostname,port,timeoutvalue,timeoutstatus,certificatedays):
    cert_data = None
    lasterror = ""
    duration = None
    start = datetime.datetime.now(datetime.UTC)
    try:
        context = ssl.create_default_context()
        with socket.create_connection((hostname, port)) as sock:
            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                # https://docs.python.org/3/library/ssl.html#ssl.SSLSocket.getpeercert
                cert_data = ssock.getpeercert()
    except Exception as e:
        lasterror = str(e)
    elapsed = datetime.datetime.now(datetime.UTC)-start
    duration = elapsed.total_seconds()
    #daysremaining = -1

    if cert_data == None:
        exitnagios("CRITICAL","cannot retrieve certificate: "+lasterror+" | time="+str(duration)+" validity=0")
    else:
        alternatives = []
        subject = dict(item[0] for item in cert_data["subject"])
        alternatives.append(subject["commonName"])
        subjectAltName = collections.defaultdict(set)
        for type_, san in cert_data["subjectAltName"]:
            subjectAltName[type_].add(san)
        for item in subjectAltName["DNS"]:
            if item not in alternatives:
                alternatives.append(item)
        infomsg(alternatives)
        matching = False
        for item in alternatives:
            if item == hostname:
                matching = True
                break

        if certificatedays!="":
            certexpirationraw = None
            certexpirationparsed = None
            try:
                infomsg(cert_data)
                certexpirationraw = cert_data["notAfter"]
                infomsg("Expiry date: "+str(certexpirationraw))
                if certexpirationraw != None:
                    from dateutil.parser import parse
                    certexpirationparsed = parse(cert_data["notAfter"])
            except:
                infomsg(str(traceback.format_exc()))
                pass

            if certexpirationparsed==None:
                exitnagios("CRITICAL","cannot parse certificate expiration date '"+str(certexpirationraw)+"' | time="+str(duration)+" validity=0")
            else:
                today = datetime.datetime.now(datetime.UTC)
                timeremaining = certexpirationparsed.timestamp()-today.timestamp()
                daysremaining = int(timeremaining/86400)

        if matching == False:
            exitnagios("CRITICAL","the valid domain names in the certificate do not match the hostname '"+hostname+"' | time="+str(duration)+" validity="+str(daysremaining))

        certificatedaysparts = certificatedays.split(",")
        criticaldays = int(certificatedaysparts[0])
        if len(certificatedaysparts)>1:
            warningdays = int(certificatedaysparts[1])
        else:
            warningdays = -1
        if daysremaining<criticaldays:
            exitnagios("CRITICAL","the certificate is expiring in '"+str(daysremaining)+"' days | time="+str(duration)+" validity="+str(daysremaining))
        elif daysremaining<warningdays:
            exitnagios("WARNING","the certificate is expiring in '"+str(daysremaining)+"' days | time="+str(duration)+" validity="+str(daysremaining))

        exitnagios("OK","everything seems OK - totaltime: "+str(duration)+" | time="+str(duration)+" validity="+str(daysremaining))

#-------------------------------------------------------------------------------

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("-4", "--ipv4",              action="store_true",  dest="ipv4",             default=False,                                help="use ipv4 (exclusive with ipv6)")
    parser.add_argument("-6", "--ipv6",              action="store_true",  dest="ipv6",             default=False,                                help="use ipv6 (exclusive with ipv4)")
    parser.add_argument("-0", "--ipv0",              action="store_true",  dest="ipv0",             default=False,                                help="do not specify ip protocol version")
    parser.add_argument("-H", "--hostname",                                dest="hostname",         default="",                                   help="server to check")
    parser.add_argument("-p", "--port",                                    dest="port",             default=80,                                   help="port to use, usually 80 or 443")
    parser.add_argument("-t", "--timeout",                                 dest="timeout",          default="10:CRITICAL",                        help="timeout value:STATUS")
    parser.add_argument("-C", "--certificatedays",                         dest="certificatedays",  default="5,20",                               help="minimum number of days a certificate has to be valid crit,warn")
    parser.add_argument("-®", "--debug",             action="store_true",  dest="debug",            default=False,                                help="be more verbose")
    args = parser.parse_args()

    setcandebug(args.debug)

    protocol = None
    exclist = 0
    if args.ipv0 == True :
        protocol = ""
        exclist = exclist+1
    if args.ipv4 == True :
        protocol = "-4"
        exclist = exclist+1
        socket.getaddrinfo = forced_ipv4_gai_family
    if args.ipv6 == True :
        protocol = "-6"
        exclist = exclist+1
        socket.getaddrinfo = forced_ipv6_gai_family
    if (exclist>1) :
        exitnagios("CRITICAL","select ip protocol version 4 or 6, or 0 to relay on OS handling")
    elif (exclist<1) :
        exitnagios("CRITICAL","no protocol selected")

    if (args.hostname == ""):
        exitnagios("CRITICAL","hostname not defined")

    parts = args.timeout.split(":")
    timeoutvalue = int(parts[0])
    if len(parts)>1:
        timeoutstatus = parts[1]
    else:
        timeoutstatus = "CRITICAL"
    if timeoutstatus in ["OK", "WARNING", "CRITICAL", "UNKNOWN"]:
        dosslcertcheck(protocol,args.hostname,args.port,timeoutvalue,timeoutstatus,args.certificatedays)
    else:
        exitnagios("CRITICAL","timeout status is not valid")

main()

#-------------------------------------------------------------------------------