From 9173311c2f211d907e9f8bd4f75c69f8ca2fc689 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sat, 19 Aug 2023 14:26:48 +0200 Subject: [PATCH] Define custom_ssl_cert command The ssl_cert command definition from icinga2-common does not support client certificates with a separate private key file and uses the deprecated -n parameter to check_ssl_cert. We override this CheckCommand with a custom_ssl_cert. --- global-templates/commands.conf | 203 ++++++++++++++++++++++++++++ global-templates/servicegroups.conf | 2 +- global-templates/services.conf | 4 +- master/hosts.conf | 7 +- 4 files changed, 210 insertions(+), 6 deletions(-) diff --git a/global-templates/commands.conf b/global-templates/commands.conf index 8870819..343fa94 100644 --- a/global-templates/commands.conf +++ b/global-templates/commands.conf @@ -45,6 +45,209 @@ object CheckCommand "custom_ca_cert" { vars.ssl_cert_critical = 396 } +object CheckCommand "custom_ssl_cert" { + import "ipv4-or-ipv6" + + command = [ PluginContribDir + "/check_ssl_cert" ] + + arguments = { + "-H" = { + value = "$ssl_cert_address$" + description = "The host's address" + required = true + } + "-p" = { + value = "$ssl_cert_port$" + description = "TCP port number (default: 443)" + } + "-f" = { + value = "$ssl_cert_file$" + description = "Local file path (works with -H localhost only)" + } + "-w" = { + value = "$ssl_cert_warn$" + description = "Minimum number of days a certificate has to be valid" + } + "-c" = { + value = "$ssl_cert_critical$" + description = "Minimum number of days a certificate has to be valid to issue a critical status" + } + "-m" = { + value = "$ssl_cert_cn$" + description = "Pattern to match the CN of the certificate" + } + "--altnames" = { + set_if = "$ssl_cert_altnames$" + description = "Matches the pattern specified in -n with alternate" + } + "-i" = { + value = "$ssl_cert_issuer$" + description = "Pattern to match the issuer of the certificate" + } + "-o" = { + value = "$ssl_cert_org$" + description = "Pattern to match the organization of the certificate" + } + "-e" = { + value = "$ssl_cert_email$" + description = "Pattern to match the email address contained in the certificate" + } + "-N" = { + set_if = "$ssl_cert_match_host$" + description = "Match CN with the host name" + } + "--serial" = { + value = "$ssl_cert_serial$" + description = "Pattern to match the serial number" + } + "-A" = { + set_if = "$ssl_cert_noauth$" + description = "Ignore authority warnings (expiration only)" + } + "-s" = { + set_if = "$ssl_cert_selfsigned$" + description = "Allow self-signed certificate" + } + "--sni" = { + value = "$ssl_cert_sni$" + description = "Sets the TLS SNI (Server Name Indication) extension" + } + "-t" = { + value = "$ssl_cert_timeout$" + description = "Seconds before connection times out (default: 15)" + } + "-P" = { + value = "$ssl_cert_protocol$" + description = "Use the specific protocol {http|smtp|pop3|imap|ftp|xmpp|irc|ldap} (default: http)" + } + "--clientcert" = { + value = "$ssl_cert_clientcert$" + description = "Use client certificate to authenticate" + } + "--clientpass" = { + value = "$ssl_cert_clientpass$" + description = "Set passphrase for client certificate (for PKCS#12)" + } + "--clientkey" = { + value = "$ssl_cert_clientkey$" + description = "Use private key for client certificate to authenticate" + } + "-L" = { + value = "$ssl_cert_ssllabs$" + description = "SSL Labs assestment" + } + "--ignore-ssl-labs-cache" = { + set_if = "$ssl_cert_ssllabs_nocache$" + description = "Forces a new check by SSL Labs" + } + "-r" = { + value = "$ssl_cert_rootssl_cert$" + description = "Root certificate or directory to be used for certificate validation" + } + "--ssl2" = { + set_if = {{ + return macro("$ssl_cert_ssl_version$") == "ssl2" + }} + } + "--ssl3" = { + set_if = {{ + return macro("$ssl_cert_ssl_version$") == "ssl3" + }} + } + "--tls1" = { + set_if = {{ + return macro("$ssl_cert_ssl_version$") == "tls1" + }} + } + "--tls1_1" = { + set_if = {{ + return macro("$ssl_cert_ssl_version$") == "tls1_1" + }} + } + "--tls1_2" = { + set_if = {{ + return macro("$ssl_cert_ssl_version$") == "tls1_2" + }} + } + "--no_ssl2" = { + set_if = {{ + var disable_versions = macro("$ssl_cert_disable_ssl_versions$") + if (typeof(disable_versions) == String) { + disable_versions = [ disable_versions ] + } + return "ssl2" in disable_versions + }} + } + "--no_ssl3" = { + set_if = {{ + var disable_versions = macro("$ssl_cert_disable_ssl_versions$") + if (typeof(disable_versions) == String) { + disable_versions = [ disable_versions ] + } + return "ssl3" in disable_versions + }} + } + "--no_tls1" = { + set_if = {{ + var disable_versions = macro("$ssl_cert_disable_ssl_versions$") + if (typeof(disable_versions) == String) { + disable_versions = [ disable_versions ] + } + return "tls1" in disable_versions + }} + } + "--no_tls1_1" = { + set_if = {{ + var disable_versions = macro("$ssl_cert_disable_ssl_versions$") + if (typeof(disable_versions) == String) { + disable_versions = [ disable_versions ] + } + return "tls1_1" in disable_versions + }} + } + "--no_tls1_2" = { + set_if = {{ + var disable_versions = macro("$ssl_cert_disable_ssl_versions$") + if (typeof(disable_versions) == String) { + disable_versions = [ disable_versions ] + } + return "tls1_2" in disable_versions + }} + } + "--ecdsa" = { + set_if = {{ + return macro("$ssl_cert_cipher$") == "ecdsa" + }} + description = "Cipher selection: force ECDSA authentication" + } + "--rsa" = { + set_if = {{ + return macro("$ssl_cert_cipher$") == "rsa" + }} + description = "Cipher selection: force RSA authentication" + } + "--ignore-sig-alg" = { + set_if = "$ssl_cert_ignore_signature$" + description = "Do not check if the certificate was signed with SHA1 od MD5" + } + "--ignore-exp" = { + set_if = "$ssl_cert_ignore_expiration$" + description = "Ignore expiration date" + } + "--ignore-ocsp" = { + set_if = "$ssl_cert_ignore_ocsp$" + description = "Do not check revocation with OCSP" + } + "--ignore-sct" = { + set_if = "$ssl_cert_ignore_sct$" + description = "Do not check for signed certificate timestamps" + } + } + + vars.ssl_cert_address = "$check_address$" + vars.ssl_cert_port = 443 +} + /* * Local command to check whether the current kernel is the latest installed * kernel. diff --git a/global-templates/servicegroups.conf b/global-templates/servicegroups.conf index 8393f45..03a084a 100644 --- a/global-templates/servicegroups.conf +++ b/global-templates/servicegroups.conf @@ -20,5 +20,5 @@ object ServiceGroup "procs" { object ServiceGroup "ceritficates" { display_name = "X.509 Certificate Checks" - assign where service.check_command in [ "ssl_cert", "custom_ca_cert" ] + assign where service.check_command in [ "custom_ssl_cert", "custom_ca_cert" ] } diff --git a/global-templates/services.conf b/global-templates/services.conf index 57272e3..34771bb 100644 --- a/global-templates/services.conf +++ b/global-templates/services.conf @@ -15,7 +15,7 @@ apply Service "apt" { apply Service "certificate " for (name => config in host.vars.x509_certs) { import "generic-service" - check_command = "ssl_cert" + check_command = "custom_ssl_cert" check_interval = 6h retry_interval = 15m @@ -59,7 +59,7 @@ apply Service "icinga" { apply Service "icinga API certificate" { import "generic-service" - check_command = "ssl_cert" + check_command = "custom_ssl_cert" check_interval = 6h retry_interval = 15m diff --git a/master/hosts.conf b/master/hosts.conf index aaa63dc..7c9a566 100644 --- a/master/hosts.conf +++ b/master/hosts.conf @@ -119,9 +119,10 @@ object Host "beholder" { ssl_cert_warn = 30 } vars.x509_certs["beholder.cacert.org"] = { - ssl_cert_address = "49.13.65.97" - ssl_cert_sni = true - ssl_cert_cn = "beholder.cacert.org" + ssl_cert_address = "beholder.cacert.org" + ssl_cert_sni = "beholder.cacert.org" + ssl_cert_clientcert = "/etc/ssl/public/beholder-client.crt.pem" + ssl_cert_clientkey = "/etc/ssl/private/beholder-client.key.pem" } vars.ca_certs["Icinga master"] = {