Define custom_ssl_cert command

The ssl_cert command definition from icinga2-common does not support
client certificates with a separate private key file and uses the
deprecated -n parameter to check_ssl_cert. We override this CheckCommand
with a custom_ssl_cert.

global-templates/commands.conf

@@ -45,6 +45,209 @@ object CheckCommand "custom_ca_cert" {
   vars.ssl_cert_critical = 396
 }
 
+object CheckCommand "custom_ssl_cert" {
+  import "ipv4-or-ipv6"
+
+  command = [ PluginContribDir + "/check_ssl_cert" ]
+
+  arguments = {
+    "-H" = {
+      value = "$ssl_cert_address$"
+      description = "The host's address"
+      required = true
+    }
+    "-p" = {
+      value = "$ssl_cert_port$"
+      description = "TCP port number (default: 443)"
+    }
+    "-f" = {
+      value = "$ssl_cert_file$"
+      description = "Local file path (works with -H localhost only)"
+    }
+    "-w" = {
+      value = "$ssl_cert_warn$"
+      description = "Minimum number of days a certificate has to be valid"
+    }
+    "-c" = {
+      value = "$ssl_cert_critical$"
+      description = "Minimum number of days a certificate has to be valid to issue a critical status"
+    }
+    "-m" = {
+      value = "$ssl_cert_cn$"
+      description = "Pattern to match the CN of the certificate"
+    }
+    "--altnames" = {
+      set_if = "$ssl_cert_altnames$"
+      description = "Matches the pattern specified in -n with alternate"
+    }
+    "-i" = {
+      value = "$ssl_cert_issuer$"
+      description = "Pattern to match the issuer of the certificate"
+    }
+    "-o" = {
+      value = "$ssl_cert_org$"
+      description = "Pattern to match the organization of the certificate"
+    }
+    "-e" = {
+      value = "$ssl_cert_email$"
+      description = "Pattern to match the email address contained in the certificate"
+    }
+    "-N" = {
+      set_if = "$ssl_cert_match_host$"
+      description = "Match CN with the host name"
+    }
+    "--serial" = {
+      value = "$ssl_cert_serial$"
+      description = "Pattern to match the serial number"
+    }
+    "-A" = {
+      set_if = "$ssl_cert_noauth$"
+      description = "Ignore authority warnings (expiration only)"
+    }
+    "-s" = {
+      set_if = "$ssl_cert_selfsigned$"
+      description = "Allow self-signed certificate"
+    }
+    "--sni" = {
+      value = "$ssl_cert_sni$"
+      description = "Sets the TLS SNI (Server Name Indication) extension"
+    }
+    "-t" = {
+      value = "$ssl_cert_timeout$"
+      description = "Seconds before connection times out (default: 15)"
+    }
+    "-P" = {
+      value = "$ssl_cert_protocol$"
+      description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
+    }
+    "--clientcert" = {
+      value = "$ssl_cert_clientcert$"
+      description = "Use client certificate to authenticate"
+    }
+    "--clientpass" = {
+      value = "$ssl_cert_clientpass$"
+      description = "Set passphrase for client certificate (for PKCS#12)"
+    }
+    "--clientkey" = {
+      value = "$ssl_cert_clientkey$"
+      description = "Use private key for client certificate to authenticate"
+    }
+    "-L" = {
+      value = "$ssl_cert_ssllabs$"
+      description = "SSL Labs assestment"
+    }
+    "--ignore-ssl-labs-cache" = {
+      set_if = "$ssl_cert_ssllabs_nocache$"
+      description = "Forces a new check by SSL Labs"
+    }
+    "-r" = {
+      value = "$ssl_cert_rootssl_cert$"
+      description = "Root certificate or directory to be used for certificate validation"
+    }
+    "--ssl2" = {
+      set_if = {{
+        return macro("$ssl_cert_ssl_version$") == "ssl2"
+      }}
+    }
+    "--ssl3" = {
+      set_if = {{
+        return macro("$ssl_cert_ssl_version$") == "ssl3"
+      }}
+    }
+    "--tls1" = {
+      set_if = {{
+        return macro("$ssl_cert_ssl_version$") == "tls1"
+      }}
+    }
+    "--tls1_1" = {
+      set_if = {{
+        return macro("$ssl_cert_ssl_version$") == "tls1_1"
+      }}
+    }
+    "--tls1_2" = {
+      set_if = {{
+        return macro("$ssl_cert_ssl_version$") == "tls1_2"
+      }}
+    }
+    "--no_ssl2" = {
+      set_if = {{
+        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+        if (typeof(disable_versions) == String) {
+          disable_versions = [ disable_versions ]
+        }
+        return "ssl2" in disable_versions
+      }}
+    }
+    "--no_ssl3" = {
+      set_if = {{
+        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+        if (typeof(disable_versions) == String) {
+          disable_versions = [ disable_versions ]
+        }
+        return "ssl3" in disable_versions
+      }}
+    }
+    "--no_tls1" = {
+      set_if = {{
+        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+        if (typeof(disable_versions) == String) {
+          disable_versions = [ disable_versions ]
+        }
+        return "tls1" in disable_versions
+      }}
+    }
+    "--no_tls1_1" = {
+      set_if = {{
+        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+        if (typeof(disable_versions) == String) {
+          disable_versions = [ disable_versions ]
+        }
+        return "tls1_1" in disable_versions
+      }}
+    }
+    "--no_tls1_2" = {
+      set_if = {{
+        var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
+        if (typeof(disable_versions) == String) {
+          disable_versions = [ disable_versions ]
+        }
+        return "tls1_2" in disable_versions
+      }}
+    }
+    "--ecdsa" = {
+      set_if = {{
+        return macro("$ssl_cert_cipher$") == "ecdsa"
+      }}
+      description = "Cipher selection: force ECDSA authentication"
+    }
+    "--rsa" = {
+      set_if = {{
+        return macro("$ssl_cert_cipher$") == "rsa"
+      }}
+      description = "Cipher selection: force RSA authentication"
+    }
+    "--ignore-sig-alg" = {
+      set_if = "$ssl_cert_ignore_signature$"
+      description = "Do not check if the certificate was signed with SHA1 od MD5"
+    }
+    "--ignore-exp" = {
+      set_if = "$ssl_cert_ignore_expiration$"
+      description = "Ignore expiration date"
+    }
+    "--ignore-ocsp" = {
+      set_if = "$ssl_cert_ignore_ocsp$"
+      description = "Do not check revocation with OCSP"
+    }
+    "--ignore-sct" = {
+      set_if = "$ssl_cert_ignore_sct$"
+      description = "Do not check for signed certificate timestamps"
+    }
+  }
+
+  vars.ssl_cert_address = "$check_address$"
+  vars.ssl_cert_port = 443
+}
+
 /*
 * Local command to check whether the current kernel is the latest installed
 * kernel.

global-templates/servicegroups.conf

@@ -20,5 +20,5 @@ object ServiceGroup "procs" {
 object ServiceGroup "ceritficates" {
   display_name = "X.509 Certificate Checks"
 
-  assign where service.check_command in [ "ssl_cert", "custom_ca_cert" ]
+  assign where service.check_command in [ "custom_ssl_cert", "custom_ca_cert" ]
 }

global-templates/services.conf

@@ -15,7 +15,7 @@ apply Service "apt" {
 apply Service "certificate " for (name => config in host.vars.x509_certs) {
   import "generic-service"
 
-  check_command = "ssl_cert"
+  check_command = "custom_ssl_cert"
   check_interval = 6h
   retry_interval = 15m
 
@@ -59,7 +59,7 @@ apply Service "icinga" {
 apply Service "icinga API certificate" {
   import "generic-service"
 
-  check_command = "ssl_cert"
+  check_command = "custom_ssl_cert"
   check_interval = 6h
   retry_interval = 15m
 

master/hosts.conf

@@ -119,9 +119,10 @@ object Host "beholder" {
     ssl_cert_warn = 30
   }
   vars.x509_certs["beholder.cacert.org"] = {
-    ssl_cert_address = "49.13.65.97"
-    ssl_cert_sni = true
-    ssl_cert_cn = "beholder.cacert.org"
+    ssl_cert_address = "beholder.cacert.org"
+    ssl_cert_sni = "beholder.cacert.org"
+    ssl_cert_clientcert = "/etc/ssl/public/beholder-client.crt.pem"
+    ssl_cert_clientkey = "/etc/ssl/private/beholder-client.key.pem"
   }
 
   vars.ca_certs["Icinga master"] = {