Munin plugin for monitoring age of stapled OCSP responses.

ocsp_age_

#!/usr/bin/python
import re
import subprocess
import sys
import time
import datetime

def parse_date(date):
	dt = datetime.datetime.strptime(date, "%b %d %H:%M:%S %Y GMT")

	return dt

def timedelta_hours(td):
	return td.total_seconds()/3600.

def get_age(site):
	shcmd = 'echo "" | openssl s_client -servername "%(site)s" -connect "%(site)s:443" -status 2>/dev/null' % {'site': site}

	try:
		out = subprocess.check_output(shcmd, shell=True)
	except subprocess.CalledProcessError:
		return None, None

	g = re.search("This Update: (.*)$", out, re.M)
	if g:
		this_update = g.group(1)
	else:
		return None, None

	g = re.search("Next Update: (.*)$", out, re.M)
	if g:
		next_update = g.group(1)
	else:
		return None, None

	this_update_dt = parse_date(this_update)
	next_update_dt = parse_date(next_update)

	now = datetime.datetime.utcnow()

	cur_age = now - this_update_dt
	max_age = next_update_dt - this_update_dt

	return timedelta_hours(cur_age), timedelta_hours(max_age)

def get_site():
	cmd = sys.argv[0]

	g = re.search("ocsp_age_(.*)$", cmd)
	return g.group(1)

def float_or_u(v):
	if v is None:
		return 'U'
	else:
		return str(v)

def main():
	site = get_site()

	cmd = None
	if len(sys.argv) > 1:
		cmd = sys.argv[1]

	if cmd == 'config':
		print """graph_title %(site)s stapled OCSP response age
graph_vlabel h
graph_category ssl
graph_info This graph shows time since "thisUpdate" in the stapled OCSP response and difference between "thisUpdate" and "nextUpdate".
cur_age.label response age
cur_age.min 0
max_age.label next update
max_age.min 0
""" % {'site': site}
	else:
		cur_age, max_age = get_age(site)

		print "cur_age.value %s" % (float_or_u(cur_age),)
		print "max_age.value %s" % (float_or_u(max_age),)

if __name__ == "__main__":
	main()