#!/bin/bash

# checks certificate runtime of host locally f.e. if checkmk server cannot access monitored hosts ports directy (dmz, behind proxy, etc.)
# Copy this to /usr/lib/check_mk_agent/local and adjust hostname and port
# depending on service you need to set 'startls="-starttls xyz"'
# smtp on port 25: -starttls smtp
# ftp on port 21: -starttls ftp
# imap on port 143: -starttls imap
# pop3 on port 110: -starttls pop3
# more see openssl documentation

hostname=$(hostname -f)
port=993
starttls=
certificate_file=$(mktemp)
echo -n | openssl s_client -servername "$hostname" -connect "$hostname":$port $starttls 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $certificate_file
date=$(openssl x509 -in $certificate_file -enddate -noout | sed "s/.*=\(.*\)/\1/")
date_s=$(date -d "${date}" +%s)
now_s=$(date -d now +%s)
date_diff=$(( (date_s - now_s) / 86400 ))

echo 'P "'$hostname':'$port' Cert-Runtime" days=-'$date_diff';-15;-10 Certificate of Service on '$hostname' Port '$port' expires in '$date_diff' days'