Nagios plugin to check SSL certificates
By grapsus on Tuesday 27 September 2011, 11:15 - Permalink
Here a Nagios plugin I wrote for checking SSL certificates for expiry. You can set it up for emitting a WARNING or a CRITICAL state N days before expiry.
/root/bin/nagios-check-crt.sh :
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 | #!/bin/bash # Written by Alexis Bezverkhyy <alexis@grapsus.net> in september 2011 # This is free and unencumbered software released into the public domain. # For more information, please refer to <http://unlicense.org/> function PRINT_USAGE(){ echo "This Nagios plugin checks SSL certificates for expiration : -c HOST:PORT host and port to connect -d DAYS minimum days before expiry, otherwise a WARNING is issued -D DAYS minimum days before expiry, otherwise a CRITICAL is issued -h prints out this help" exit 0 } CONNECT='';WDAYS=0;CDAYS=0; declare -i CDAYS declare -i WDAYS while true ; do getopts 'c:d:D:h' OPT if [ "$OPT" = '?' ] ; then break; fi; case "$OPT" in "c") CONNECT="$OPTARG";; "d") WDAYS="$OPTARG";; "D") CDAYS="$OPTARG";; "h") PRINT_USAGE;; esac done if [ -z "$CONNECT" -o '(' "$WDAYS" = '0' -a "$CDAYS" = '0' ')' ] ; then PRINT_USAGE fi function get_crt_expiry { # connect to host with OpenSSL client, filter CRT, parse CRT, # get expiry time, convert to traditionnal y-m-d h:s echo -n '' | openssl s_client -connect "$1" 2>/dev/null \ | awk 'BEGIN { p = 0 } /BEGIN CERT/ { p = 1 } { if (p) print $0 } /END CERT/ { p = 0 }' \ | openssl asn1parse 2>/dev/null \ | grep 'UTCTIME' \ | awk '{ print $7 }' \ | tr -d 'Z:' \ | tail -n 1 \ | sed -r 's/^(..)(..)(..)(..)(..).*$/\1-\2-\3 \4:\5/' } EXPIRY=$(get_crt_expiry "$CONNECT") if [ -z "$EXPIRY" ] ; then echo "WARNING - cannot get expiry date for $CONNECT" exit 1 fi EPOCH_EXPIRY=$(date -d "$EXPIRY" +%s) EPOCH_NOW=$(date +%s) let "REM_DAYS = (EPOCH_EXPIRY - EPOCH_NOW)/(24*3600)" if [ "$CDAYS" -gt 0 -a "$REM_DAYS" -lt "$CDAYS" ] ; then echo "CRITICAL - $CONNECT crt expries on $EXPIRY ($REM_DAYS days left)" exit 2 fi if [ "$WDAYS" -gt 0 -a "$REM_DAYS" -lt "$WDAYS" ] ; then echo "WARNING - $CONNECT crt expries on $EXPIRY ($REM_DAYS days left)" exit 1 fi echo "OK - $CONNECT crt expries on $EXPIRY ($REM_DAYS days left)" |
Here's the configuration to check a simple HTTPS service.
commands.cfg :
1 2 3 4 | define command {
command_name check_crt
command_line /root/bin/nagios-check-crt.sh -c $ARG1$ -d $ARG2$ -D $ARG3$
} |
myhost.cfg :
1 2 3 4 5 6 | define service {
use generic-service
host_name myhost
service_description HTTPS-CRT
check_command check_crt!myhost.com:443!60!30
} |
Comments
Hi, I check your blogs daily. Your story-telling style is witty, keep doing what you're doing!
If some one wants expert view concerning blogging and site-building after that i recommend him/her to pay a visit this website,
Keep up the pleasant work.
I was recommended this web site by my cousin.
I'm not sure whether this post is written by him as no one else know such detailed about my difficulty. You are amazing! Thanks!
What's up all, here every person is sharing these kinds of know-how, so it's pleasant to read this web
site, and I used to go to see this website all the time.
Hi, always i used to check weblog posts here early
in the dawn, because i like to learn more and more.