#!/bin/sh

show_help() {
	cat <<- EOF
	Usage: ${0##*/} [-H HOSTNAME] [-w WARN_DAYS] [-c CRIT_DAYS]
	
	-H HOSTNAME	the ldap server's hostname
	-w WARN_DAYS	warn WARN_DAYS before certificate expiry
	-c CRIT_DAYS	show critical CRIT_DAYS before certificate expiry
EOF
}

HOST="localhost"
WARN=30
CRIT=14

while getopts "hH:w:c:" OPT
do
	case "${OPT}" in
		h)
			show_help
			exit 0
			;;
		H)
			HOST=${OPTARG}
			;;
		w)
			WARN=${OPTARG}
			;;
		c)
			CRIT=${OPTARG}
			;;
		*)
			show_help >&2
			exit 1
			;;
	esac
done

if [ $# -eq 0 ]
then
	show_help
	exit 1
fi

CERT_DATE=$(date --date "$(echo "" |openssl s_client -showcerts -connect ${HOST}:636 < /dev/null 2>&1 | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | openssl x509 -noout -enddate |  sed -n 's/notAfter=//p')" +"%Y-%m-%d")
DAYS=$(((($(date --date "${CERT_DATE}" +%s)-$(date --date now +%s))/86400)))

if [ ${DAYS} -lt ${CRIT} ]
then
	echo "CRITICAL - Less than ${CRIT} days (currently ${DAYS}) remaining validity";
	exit 2;
else
	if [ ${DAYS} -eq ${CRIT} ]
	then
		echo "CRITICAL - Exactly ${CRIT} days (currently ${DAYS}) remaining validity";
		exit 2;
	else
		if [ ${DAYS} -lt ${WARN} ]
		then
			echo "WARNING - Less than ${WARN} days (currently ${DAYS}) remaining validity";
			exit 1;
		else
			if [ ${DAYS} -eq ${WARN} ]
			then
				echo "WARNING - Exactly ${WARN} days (currently ${DAYS}) remaining validity";
				exit 1;
			else
				if [ ${DAYS} -gt ${WARN} ]
				then
					echo "OK - More than ${WARN} days (currently ${DAYS}) remaining validity";
					exit 0;
				else
					echo "Error - Something broke";
					exit 3;
				fi
			fi
		fi
	fi
fi
