We have created a Nagios plugin called check_ssl_cert_expiry . The nagios plugin will send the alert (warning/critical) before SSL Certificate expiry date. We have tested this plugin to check HTTPS website URL. It is working very well.
Why we require check_ssl_cert_expiry nagios plugin
To know how many days are left before date of expiration of SSL Certificate.
Features of check_ssl_cert_expiry:
1. The warning and critical alert will be send before no. of days left for SSL certificate expiration.
2. The nagios server may be running in different timezone. The SSL Certificate expiration date generally shows in GMT timezone (As much I have seen, it can be different). So here we have to make difference in days as per our Nagios Server timezone.
Hence, it is scripted in a way that no matter which timezone the SSL certificate expiration timezone given.It will make it compatible with yours Nagios Server timezone.
The given below is code detail of check_ssl_cert_expiry
The nagios plugin is also available in our Github account.
#!/bin/bash ## Author: Sharad Kumar Chhetri ## Creation Date : 10-Dec-2014 ## Description : Send Warning/Critical alert before expiry date of SSL Certificate. ## Version : 1.0 ## ## Usage example: /check_ssl_cert_expiry -h www.google.co.in -w 90 -c 60 ## -w = integer number (Warning days) ## -c = integer number (Critical days) # # Requirement : bc command should be available in system. # _HOST="" _WARNEXPIRYDAYS="" _CRITEXPIRYDAYS="" while getopts "h:w:c:" opt do case $opt in h ) _HOST=$OPTARG;; w ) _WARNEXPIRYDAYS=$OPTARG;; c ) _CRITEXPIRYDAYS=$OPTARG;; esac done if [ ! "$_HOST" ] then printf "ERROR - Either give Hostname in syntax as www.example.com or example.com with -h!n" exit 3 fi if [ ! "$_WARNEXPIRYDAYS" ] then printf "ERROR - Add WARNING expiry in days with -wn" exit 3 fi if [ ! "$_CRITEXPIRYDAYS" ] then printf "ERROR - Add CRITICAL expiry in days with -cn" exit 3 fi EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $_HOST:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'` #echo $EXPIRYDATE EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s) CURRENT_DATE_epoch=`date +%s` #echo $EXPIRYDATE_epoch #echo $CURRENT_DATE_epoch #echo $dayDiff epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc` #echo $epochDiff ### Get difference of days dayDiff=`echo "$epochDiff"/86400|bc` #echo $dayDiff if [ "$dayDiff" -le "$_CRITEXPIRYDAYS" ] then echo "CRITICAL : $dayDiff days are left for SSL Certificate Expiration on Host $_HOST" exit 2 else if [ "$dayDiff" -le "$_WARNEXPIRYDAYS" ] then echo "WARNING : $dayDiff days are left for SSL Certificate Expiration on Host $_HOST" exit 1 else if [ "$dayDiff" -gt "$_WARNEXPIRYDAYS" ] then echo "OK: $dayDiff days are left for SSL Certificate Expiration on Host $_HOST" exit 0 fi fi fi
This is the most advanced & simple script to achieve the Nagios SSL Expiry Monitoring.
Worked Well.
Some Nagios Administrators, here is my configuration file.
==========================
commands.cfg
define command{
command_name check_ssl_cert_expiry
command_line $USER1$/check_ssl_cert_expiry -h $ARG1$ -w $ARG2$ -c $ARG3$
}
==========================
define service{
use generic-service
check_interval 60
retry_interval 5
host_name central_nagios
service_description Server SSL Certificate Expiry of YOUR DOMAIN NAME
check_command check_ssl_cert_expiry!YOUR_DOMAIN_NAME!60!30
contacts nishithvyas
notification_interval 60
notifications_enabled 1
}
Hi Nishith,
Glad to hear that our Nagios Plugin helped you. This is a simple plugin but also a good learning material for beginners.
Keep on learning and follow us on our social media channel.
Regards
Sharad
./SSLCheck.sh -h www.google.co.in -w 97 -c 20
./SSLCheck.sh: line 1: !/bin/bash: No such file or directory
ERROR – Add WARNING expiry in days with -w
What if I want to check a specific port?
-bash: ./check_ssl_cert_expiry: /bin/bash^M: bad interpreter: No such file or directory
Hi,
Check your bash absolute path by command `which bash` and edit the script.
sharad@linuxworld:~$ which bash
/bin/bash
sharad@linuxworld:~$
Regards
Sharad
That’s great! Thank you!!
You are welcome Danny!
Regards
Sharad
I Have test it for one of my server . There is it showing 170 days remaining to expire SSL cert but the plugin showing status critical . Can someone please help me on this ?? Please see below command and output :-
./check_crt -h 172.16.1.xx -w 20 -c 15
CRITICAL : -170 days are left for SSL Certificate Expiration on Host
Hello Mukesh,
-w means show warning when n days are left.
-c critical show critical when n days are left.
Do not use ip address.Use domain name.
Regards
Sharad
A just got it working now. It was a Windows-Linux Copy-thing.
When Control-C and Control-V in a textfile on Linux, there are sometimes problems with texts.
After the following command (I Googled it) it worked fine:
perl -i -pe’s/r$//;’ check_ssl_cert_expiry
thanx for your reaction!
Awesome ! It gave me some happy peace. 🙂
Always welcome improvisation suggestion.
Thanks and Regards
Sharad
Can you tell me how to install this plugin? Is it a python script or else?
When I try to start it, it gives me an error:
-bash: ./check_ssl_expiry: /bin/bash^M: bad interpreter: No such file or directory
Can you help me?
Thanx..
Hello JC,
Greetings. This is bash script. You must have bc package install in your system.
First run the script manually. Given below is example
If still facing issue. I need help from your side also.
Run the command in this way , use -x as argument for debuging the bash script-
Send the output to me. I will take a look.
Need bash version also
Thanks and Regards
Sharad
I just recheck the plugin my new server, it is working. But if still you are facing the problem, kindly report me again. I seriously want to troubleshoot this plugin for improvisation.
Regards
Sharad