#!/bin/bash

while getopts ":u:" opt; do
  case $opt in
    u)
      url="$OPTARG"
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 3
      ;;
    :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 3
      ;;
  esac
done

if [ -z "$url" ]; then
  echo "UNKNOWN - URL not specified. Use the -u option to provide a URL."
  exit 3
fi

# Check if the URL starts with "https://"
if [[ "$url" != "https://"* ]]; then
  echo "UNKNOWN - Invalid URL. The URL must start with 'https://'."
  exit 3
fi

# Extract the hostname and port from the URL
hostname=$(echo "$url" | awk -F[/:] '{print $4}')
port=$(echo "$url" | awk -F[/:] '{print $5}')

if [ -z "$port" ]; then
  port=443
fi

# Check SSL certificate validity
ssl_output=$(curl -sSI --stderr - "$url" 2>&1)
curl_exit_code=$?

if [ $curl_exit_code -ne 0 ]; then
  case $curl_exit_code in
    6)
      MSG="Could not resolve host for \"$url\""
      ;;
    7)
      MSG="Failed to connect to \"$url\""
      ;;
    35)
      MSG="SSL connect error for \"$url\""
      ;;
    51)
      MSG="SSL certificate verification failed for \"$url\""
      ;;
    60)
      MSG="SSL certificate cannot be authenticated with known CA certificates for \"$url\""
      ;;
    *)
      MSG="curl request failed with exit code $curl_exit_code for \"$url\""
      ;;
  esac
  echo "CRITICAL - $MSG"
  exit 2
fi

# Check SSL certificate expiration date
expiration_date=$(echo | openssl s_client -servername "$hostname" -connect "$hostname:$port" 2>/dev/null | openssl x509 -noout -enddate | cut -d "=" -f 2)

if [ -z "$expiration_date" ]; then
  echo "UNKNOWN - Failed to retrieve SSL certificate expiration date for \"$url\""
  exit 3
fi

expiration_timestamp=$(date -d "$expiration_date" +%s)
current_timestamp=$(date +%s)

if [ $expiration_timestamp -lt $current_timestamp ]; then
  echo "CRITICAL - SSL certificate for \"$url\" has expired on $(date -d @$expiration_timestamp)"
  exit 2
fi

days_remaining=$((($expiration_timestamp - $current_timestamp) / (60*60*24)))

if [ $days_remaining -lt 30 ]; then
  echo "WARNING - SSL certificate for \"$url\" is expiring on $(date -d @$expiration_timestamp) ($days_remaining days remaining)"
  exit 1
else
  echo "OK - SSL certificate for \"$url\" is valid"
  exit 0
fi