Define custom_ssl_cert command
The ssl_cert command definition from icinga2-common does not support client certificates with a separate private key file and uses the deprecated -n parameter to check_ssl_cert. We override this CheckCommand with a custom_ssl_cert.
This commit is contained in:
parent
0dedc4304b
commit
9173311c2f
4 changed files with 210 additions and 6 deletions
|
@ -45,6 +45,209 @@ object CheckCommand "custom_ca_cert" {
|
|||
vars.ssl_cert_critical = 396
|
||||
}
|
||||
|
||||
object CheckCommand "custom_ssl_cert" {
|
||||
import "ipv4-or-ipv6"
|
||||
|
||||
command = [ PluginContribDir + "/check_ssl_cert" ]
|
||||
|
||||
arguments = {
|
||||
"-H" = {
|
||||
value = "$ssl_cert_address$"
|
||||
description = "The host's address"
|
||||
required = true
|
||||
}
|
||||
"-p" = {
|
||||
value = "$ssl_cert_port$"
|
||||
description = "TCP port number (default: 443)"
|
||||
}
|
||||
"-f" = {
|
||||
value = "$ssl_cert_file$"
|
||||
description = "Local file path (works with -H localhost only)"
|
||||
}
|
||||
"-w" = {
|
||||
value = "$ssl_cert_warn$"
|
||||
description = "Minimum number of days a certificate has to be valid"
|
||||
}
|
||||
"-c" = {
|
||||
value = "$ssl_cert_critical$"
|
||||
description = "Minimum number of days a certificate has to be valid to issue a critical status"
|
||||
}
|
||||
"-m" = {
|
||||
value = "$ssl_cert_cn$"
|
||||
description = "Pattern to match the CN of the certificate"
|
||||
}
|
||||
"--altnames" = {
|
||||
set_if = "$ssl_cert_altnames$"
|
||||
description = "Matches the pattern specified in -n with alternate"
|
||||
}
|
||||
"-i" = {
|
||||
value = "$ssl_cert_issuer$"
|
||||
description = "Pattern to match the issuer of the certificate"
|
||||
}
|
||||
"-o" = {
|
||||
value = "$ssl_cert_org$"
|
||||
description = "Pattern to match the organization of the certificate"
|
||||
}
|
||||
"-e" = {
|
||||
value = "$ssl_cert_email$"
|
||||
description = "Pattern to match the email address contained in the certificate"
|
||||
}
|
||||
"-N" = {
|
||||
set_if = "$ssl_cert_match_host$"
|
||||
description = "Match CN with the host name"
|
||||
}
|
||||
"--serial" = {
|
||||
value = "$ssl_cert_serial$"
|
||||
description = "Pattern to match the serial number"
|
||||
}
|
||||
"-A" = {
|
||||
set_if = "$ssl_cert_noauth$"
|
||||
description = "Ignore authority warnings (expiration only)"
|
||||
}
|
||||
"-s" = {
|
||||
set_if = "$ssl_cert_selfsigned$"
|
||||
description = "Allow self-signed certificate"
|
||||
}
|
||||
"--sni" = {
|
||||
value = "$ssl_cert_sni$"
|
||||
description = "Sets the TLS SNI (Server Name Indication) extension"
|
||||
}
|
||||
"-t" = {
|
||||
value = "$ssl_cert_timeout$"
|
||||
description = "Seconds before connection times out (default: 15)"
|
||||
}
|
||||
"-P" = {
|
||||
value = "$ssl_cert_protocol$"
|
||||
description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)"
|
||||
}
|
||||
"--clientcert" = {
|
||||
value = "$ssl_cert_clientcert$"
|
||||
description = "Use client certificate to authenticate"
|
||||
}
|
||||
"--clientpass" = {
|
||||
value = "$ssl_cert_clientpass$"
|
||||
description = "Set passphrase for client certificate (for PKCS#12)"
|
||||
}
|
||||
"--clientkey" = {
|
||||
value = "$ssl_cert_clientkey$"
|
||||
description = "Use private key for client certificate to authenticate"
|
||||
}
|
||||
"-L" = {
|
||||
value = "$ssl_cert_ssllabs$"
|
||||
description = "SSL Labs assestment"
|
||||
}
|
||||
"--ignore-ssl-labs-cache" = {
|
||||
set_if = "$ssl_cert_ssllabs_nocache$"
|
||||
description = "Forces a new check by SSL Labs"
|
||||
}
|
||||
"-r" = {
|
||||
value = "$ssl_cert_rootssl_cert$"
|
||||
description = "Root certificate or directory to be used for certificate validation"
|
||||
}
|
||||
"--ssl2" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_ssl_version$") == "ssl2"
|
||||
}}
|
||||
}
|
||||
"--ssl3" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_ssl_version$") == "ssl3"
|
||||
}}
|
||||
}
|
||||
"--tls1" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_ssl_version$") == "tls1"
|
||||
}}
|
||||
}
|
||||
"--tls1_1" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_ssl_version$") == "tls1_1"
|
||||
}}
|
||||
}
|
||||
"--tls1_2" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_ssl_version$") == "tls1_2"
|
||||
}}
|
||||
}
|
||||
"--no_ssl2" = {
|
||||
set_if = {{
|
||||
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
|
||||
if (typeof(disable_versions) == String) {
|
||||
disable_versions = [ disable_versions ]
|
||||
}
|
||||
return "ssl2" in disable_versions
|
||||
}}
|
||||
}
|
||||
"--no_ssl3" = {
|
||||
set_if = {{
|
||||
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
|
||||
if (typeof(disable_versions) == String) {
|
||||
disable_versions = [ disable_versions ]
|
||||
}
|
||||
return "ssl3" in disable_versions
|
||||
}}
|
||||
}
|
||||
"--no_tls1" = {
|
||||
set_if = {{
|
||||
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
|
||||
if (typeof(disable_versions) == String) {
|
||||
disable_versions = [ disable_versions ]
|
||||
}
|
||||
return "tls1" in disable_versions
|
||||
}}
|
||||
}
|
||||
"--no_tls1_1" = {
|
||||
set_if = {{
|
||||
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
|
||||
if (typeof(disable_versions) == String) {
|
||||
disable_versions = [ disable_versions ]
|
||||
}
|
||||
return "tls1_1" in disable_versions
|
||||
}}
|
||||
}
|
||||
"--no_tls1_2" = {
|
||||
set_if = {{
|
||||
var disable_versions = macro("$ssl_cert_disable_ssl_versions$")
|
||||
if (typeof(disable_versions) == String) {
|
||||
disable_versions = [ disable_versions ]
|
||||
}
|
||||
return "tls1_2" in disable_versions
|
||||
}}
|
||||
}
|
||||
"--ecdsa" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_cipher$") == "ecdsa"
|
||||
}}
|
||||
description = "Cipher selection: force ECDSA authentication"
|
||||
}
|
||||
"--rsa" = {
|
||||
set_if = {{
|
||||
return macro("$ssl_cert_cipher$") == "rsa"
|
||||
}}
|
||||
description = "Cipher selection: force RSA authentication"
|
||||
}
|
||||
"--ignore-sig-alg" = {
|
||||
set_if = "$ssl_cert_ignore_signature$"
|
||||
description = "Do not check if the certificate was signed with SHA1 od MD5"
|
||||
}
|
||||
"--ignore-exp" = {
|
||||
set_if = "$ssl_cert_ignore_expiration$"
|
||||
description = "Ignore expiration date"
|
||||
}
|
||||
"--ignore-ocsp" = {
|
||||
set_if = "$ssl_cert_ignore_ocsp$"
|
||||
description = "Do not check revocation with OCSP"
|
||||
}
|
||||
"--ignore-sct" = {
|
||||
set_if = "$ssl_cert_ignore_sct$"
|
||||
description = "Do not check for signed certificate timestamps"
|
||||
}
|
||||
}
|
||||
|
||||
vars.ssl_cert_address = "$check_address$"
|
||||
vars.ssl_cert_port = 443
|
||||
}
|
||||
|
||||
/*
|
||||
* Local command to check whether the current kernel is the latest installed
|
||||
* kernel.
|
||||
|
|
|
@ -20,5 +20,5 @@ object ServiceGroup "procs" {
|
|||
object ServiceGroup "ceritficates" {
|
||||
display_name = "X.509 Certificate Checks"
|
||||
|
||||
assign where service.check_command in [ "ssl_cert", "custom_ca_cert" ]
|
||||
assign where service.check_command in [ "custom_ssl_cert", "custom_ca_cert" ]
|
||||
}
|
||||
|
|
|
@ -15,7 +15,7 @@ apply Service "apt" {
|
|||
apply Service "certificate " for (name => config in host.vars.x509_certs) {
|
||||
import "generic-service"
|
||||
|
||||
check_command = "ssl_cert"
|
||||
check_command = "custom_ssl_cert"
|
||||
check_interval = 6h
|
||||
retry_interval = 15m
|
||||
|
||||
|
@ -59,7 +59,7 @@ apply Service "icinga" {
|
|||
apply Service "icinga API certificate" {
|
||||
import "generic-service"
|
||||
|
||||
check_command = "ssl_cert"
|
||||
check_command = "custom_ssl_cert"
|
||||
check_interval = 6h
|
||||
retry_interval = 15m
|
||||
|
||||
|
|
|
@ -119,9 +119,10 @@ object Host "beholder" {
|
|||
ssl_cert_warn = 30
|
||||
}
|
||||
vars.x509_certs["beholder.cacert.org"] = {
|
||||
ssl_cert_address = "49.13.65.97"
|
||||
ssl_cert_sni = true
|
||||
ssl_cert_cn = "beholder.cacert.org"
|
||||
ssl_cert_address = "beholder.cacert.org"
|
||||
ssl_cert_sni = "beholder.cacert.org"
|
||||
ssl_cert_clientcert = "/etc/ssl/public/beholder-client.crt.pem"
|
||||
ssl_cert_clientkey = "/etc/ssl/private/beholder-client.key.pem"
|
||||
}
|
||||
|
||||
vars.ca_certs["Icinga master"] = {
|
||||
|
|
Loading…
Reference in a new issue