Define custom_ssl_cert command

The ssl_cert command definition from icinga2-common does not support
client certificates with a separate private key file and uses the
deprecated -n parameter to check_ssl_cert. We override this CheckCommand
with a custom_ssl_cert.
This commit is contained in:
Jan Dittberner 2023-08-19 14:26:48 +02:00
parent 0dedc4304b
commit 9173311c2f
4 changed files with 210 additions and 6 deletions

View file

@ -45,6 +45,209 @@ object CheckCommand "custom_ca_cert" {
vars.ssl_cert_critical = 396
}
object CheckCommand "custom_ssl_cert" {
import "ipv4-or-ipv6"
command = [ PluginContribDir + "/check_ssl_cert" ]
arguments = {
"-H" = {
value = "$ssl_cert_address$"
description = "The host's address"
required = true
}
"-p" = {
value = "$ssl_cert_port$"
description = "TCP port number (default: 443)"
}
"-f" = {
value = "$ssl_cert_file$"
description = "Local file path (works with -H localhost only)"
}
"-w" = {
value = "$ssl_cert_warn$"
description = "Minimum number of days a certificate has to be valid"
}
"-c" = {
value = "$ssl_cert_critical$"
description = "Minimum number of days a certificate has to be valid to issue a critical status"
}
"-m" = {
value = "$ssl_cert_cn$"
description = "Pattern to match the CN of the certificate"
}
"--altnames" = {
set_if = "$ssl_cert_altnames$"
description = "Matches the pattern specified in -n with alternate"
}
"-i" = {
value = "$ssl_cert_issuer$"
description = "Pattern to match the issuer of the certificate"
}
"-o" = {
value = "$ssl_cert_org$"
description = "Pattern to match the organization of the certificate"
}
"-e" = {
value = "$ssl_cert_email$"
description = "Pattern to match the email address contained in the certificate"
}
"-N" = {
set_if = "$ssl_cert_match_host$"
description = "Match CN with the host name"
}
"--serial" = {
value = "$ssl_cert_serial$"
description = "Pattern to match the serial number"
}
"-A" = {
set_if = "$ssl_cert_noauth$"
description = "Ignore authority warnings (expiration only)"
}
"-s" = {
set_if = "$ssl_cert_selfsigned$"
description = "Allow self-signed certificate"
}
"--sni" = {
value = "$ssl_cert_sni$"
description = "Sets the TLS SNI (Server Name Indication) extension"
}
"-t" = {
value = "$ssl_cert_timeout$"
description = "Seconds before connection times out (default: 15)"
}
"-P" = {
value = "$ssl_cert_protocol$"
description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
}
"--clientcert" = {
value = "$ssl_cert_clientcert$"
description = "Use client certificate to authenticate"
}
"--clientpass" = {
value = "$ssl_cert_clientpass$"
description = "Set passphrase for client certificate (for PKCS#12)"
}
"--clientkey" = {
value = "$ssl_cert_clientkey$"
description = "Use private key for client certificate to authenticate"
}
"-L" = {
value = "$ssl_cert_ssllabs$"
description = "SSL Labs assestment"
}
"--ignore-ssl-labs-cache" = {
set_if = "$ssl_cert_ssllabs_nocache$"
description = "Forces a new check by SSL Labs"
}
"-r" = {
value = "$ssl_cert_rootssl_cert$"
description = "Root certificate or directory to be used for certificate validation"
}
"--ssl2" = {
set_if = {{
return macro("$ssl_cert_ssl_version$") == "ssl2"
}}
}
"--ssl3" = {
set_if = {{
return macro("$ssl_cert_ssl_version$") == "ssl3"
}}
}
"--tls1" = {
set_if = {{
return macro("$ssl_cert_ssl_version$") == "tls1"
}}
}
"--tls1_1" = {
set_if = {{
return macro("$ssl_cert_ssl_version$") == "tls1_1"
}}
}
"--tls1_2" = {
set_if = {{
return macro("$ssl_cert_ssl_version$") == "tls1_2"
}}
}
"--no_ssl2" = {
set_if = {{
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
if (typeof(disable_versions) == String) {
disable_versions = [ disable_versions ]
}
return "ssl2" in disable_versions
}}
}
"--no_ssl3" = {
set_if = {{
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
if (typeof(disable_versions) == String) {
disable_versions = [ disable_versions ]
}
return "ssl3" in disable_versions
}}
}
"--no_tls1" = {
set_if = {{
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
if (typeof(disable_versions) == String) {
disable_versions = [ disable_versions ]
}
return "tls1" in disable_versions
}}
}
"--no_tls1_1" = {
set_if = {{
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
if (typeof(disable_versions) == String) {
disable_versions = [ disable_versions ]
}
return "tls1_1" in disable_versions
}}
}
"--no_tls1_2" = {
set_if = {{
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
if (typeof(disable_versions) == String) {
disable_versions = [ disable_versions ]
}
return "tls1_2" in disable_versions
}}
}
"--ecdsa" = {
set_if = {{
return macro("$ssl_cert_cipher$") == "ecdsa"
}}
description = "Cipher selection: force ECDSA authentication"
}
"--rsa" = {
set_if = {{
return macro("$ssl_cert_cipher$") == "rsa"
}}
description = "Cipher selection: force RSA authentication"
}
"--ignore-sig-alg" = {
set_if = "$ssl_cert_ignore_signature$"
description = "Do not check if the certificate was signed with SHA1 od MD5"
}
"--ignore-exp" = {
set_if = "$ssl_cert_ignore_expiration$"
description = "Ignore expiration date"
}
"--ignore-ocsp" = {
set_if = "$ssl_cert_ignore_ocsp$"
description = "Do not check revocation with OCSP"
}
"--ignore-sct" = {
set_if = "$ssl_cert_ignore_sct$"
description = "Do not check for signed certificate timestamps"
}
}
vars.ssl_cert_address = "$check_address$"
vars.ssl_cert_port = 443
}
/*
* Local command to check whether the current kernel is the latest installed
* kernel.

View file

@ -20,5 +20,5 @@ object ServiceGroup "procs" {
object ServiceGroup "ceritficates" {
display_name = "X.509 Certificate Checks"
assign where service.check_command in [ "ssl_cert", "custom_ca_cert" ]
assign where service.check_command in [ "custom_ssl_cert", "custom_ca_cert" ]
}

View file

@ -15,7 +15,7 @@ apply Service "apt" {
apply Service "certificate " for (name => config in host.vars.x509_certs) {
import "generic-service"
check_command = "ssl_cert"
check_command = "custom_ssl_cert"
check_interval = 6h
retry_interval = 15m
@ -59,7 +59,7 @@ apply Service "icinga" {
apply Service "icinga API certificate" {
import "generic-service"
check_command = "ssl_cert"
check_command = "custom_ssl_cert"
check_interval = 6h
retry_interval = 15m

View file

@ -119,9 +119,10 @@ object Host "beholder" {
ssl_cert_warn = 30
}
vars.x509_certs["beholder.cacert.org"] = {
ssl_cert_address = "49.13.65.97"
ssl_cert_sni = true
ssl_cert_cn = "beholder.cacert.org"
ssl_cert_address = "beholder.cacert.org"
ssl_cert_sni = "beholder.cacert.org"
ssl_cert_clientcert = "/etc/ssl/public/beholder-client.crt.pem"
ssl_cert_clientkey = "/etc/ssl/private/beholder-client.key.pem"
}
vars.ca_certs["Icinga master"] = {