We have created a Nagios plugin called check_ssl_cert_expiry . The nagios plugin will send the alert (warning/critical) before SSL Certificate expiry date. We have tested this plugin to check HTTPS website URL. It is working very well.

Why we require check_ssl_cert_expiry nagios plugin

To know how many days are left before date of expiration of SSL Certificate.

Features of check_ssl_cert_expiry:

1. The warning and critical alert will be send before no. of days left for SSL certificate expiration.
2. The nagios server may be running in different timezone. The SSL Certificate expiration date generally shows in GMT timezone (As much I have seen, it can be different). So here we have to make difference in days as per our Nagios Server timezone.
Hence, it is scripted in a way that no matter which timezone the SSL certificate expiration timezone given.It will make it compatible with yours Nagios Server timezone.

The given below is code detail of check_ssl_cert_expiry

The nagios plugin is also available in our Github account.

#!/bin/bash
## Author: Sharad Kumar Chhetri
## Creation Date : 10-Dec-2014
## Description : Send Warning/Critical alert before expiry date of SSL Certificate.
## Version : 1.0
##
## Usage example: /check_ssl_cert_expiry -h www.google.co.in -w 90 -c 60
## -w = integer number (Warning days)
## -c = integer number (Critical days)
#
# Requirement : bc command should be available in system.
#

_HOST=""
_WARNEXPIRYDAYS=""
_CRITEXPIRYDAYS=""

while getopts "h:w:c:" opt
do
case $opt in
h ) _HOST=$OPTARG;;
w ) _WARNEXPIRYDAYS=$OPTARG;;
c ) _CRITEXPIRYDAYS=$OPTARG;;
esac
done

if [ ! "$_HOST" ]
then
printf "ERROR - Either give Hostname in syntax as www.example.com or example.com with -h!n"
exit 3
fi
if [ ! "$_WARNEXPIRYDAYS" ]
then
printf "ERROR - Add WARNING expiry in days with -wn"
exit 3
fi
if [ ! "$_CRITEXPIRYDAYS" ]
then
printf "ERROR - Add CRITICAL expiry in days with -cn"
exit 3
fi

EXPIRYDATE=`echo "QUIT" | openssl s_client -connect $_HOST:443 2>/dev/null | openssl x509 -noout -enddate 2>/dev/null|sed 's/notAfter=//g'`
#echo $EXPIRYDATE

EXPIRYDATE_epoch=$(date --date "$EXPIRYDATE" +%s)

CURRENT_DATE_epoch=`date +%s`

#echo $EXPIRYDATE_epoch
#echo $CURRENT_DATE_epoch
#echo $dayDiff

epochDiff=`echo "$EXPIRYDATE_epoch" - "$CURRENT_DATE_epoch"|bc`
#echo $epochDiff

### Get difference of days
dayDiff=`echo "$epochDiff"/86400|bc`
#echo $dayDiff

if [ "$dayDiff" -le "$_CRITEXPIRYDAYS" ]
then
echo "CRITICAL : $dayDiff days are left for SSL Certificate Expiration on Host $_HOST"
exit 2
else
if [  "$dayDiff" -le "$_WARNEXPIRYDAYS" ]
then
echo  "WARNING : $dayDiff days are left for SSL Certificate Expiration on Host $_HOST"
exit 1
else
if [ "$dayDiff" -gt "$_WARNEXPIRYDAYS" ]
then
echo "OK: $dayDiff days are left for SSL Certificate Expiration on Host $_HOST"
exit 0
fi
fi
fi

Read Some More Articles

15 Comments

  1. This is the most advanced & simple script to achieve the Nagios SSL Expiry Monitoring.

    Worked Well.

    Some Nagios Administrators, here is my configuration file.

    ==========================
    commands.cfg

    define command{
    command_name check_ssl_cert_expiry
    command_line $USER1$/check_ssl_cert_expiry -h $ARG1$ -w $ARG2$ -c $ARG3$
    }
    ==========================
    define service{
    use generic-service
    check_interval 60
    retry_interval 5
    host_name central_nagios
    service_description Server SSL Certificate Expiry of YOUR DOMAIN NAME
    check_command check_ssl_cert_expiry!YOUR_DOMAIN_NAME!60!30
    contacts nishithvyas
    notification_interval 60
    notifications_enabled 1
    }

    1. Hi Nishith,

      Glad to hear that our Nagios Plugin helped you. This is a simple plugin but also a good learning material for beginners.
      Keep on learning and follow us on our social media channel.

      Regards
      Sharad

  2. ./SSLCheck.sh -h www.google.co.in -w 97 -c 20
    ./SSLCheck.sh: line 1: !/bin/bash: No such file or directory
    ERROR – Add WARNING expiry in days with -w

  3. I Have test it for one of my server . There is it showing 170 days remaining to expire SSL cert but the plugin showing status critical . Can someone please help me on this ?? Please see below command and output :-

    ./check_crt -h 172.16.1.xx -w 20 -c 15
    CRITICAL : -170 days are left for SSL Certificate Expiration on Host

  4. A just got it working now. It was a Windows-Linux Copy-thing.
    When Control-C and Control-V in a textfile on Linux, there are sometimes problems with texts.

    After the following command (I Googled it) it worked fine:

    perl -i -pe’s/r$//;’ check_ssl_cert_expiry

    thanx for your reaction!

  5. Can you tell me how to install this plugin? Is it a python script or else?
    When I try to start it, it gives me an error:

    -bash: ./check_ssl_expiry: /bin/bash^M: bad interpreter: No such file or directory

    Can you help me?

    Thanx..

    1. Hello JC,

      Greetings. This is bash script. You must have bc package install in your system.
      First run the script manually. Given below is example

      ./check_ssl_cert_expiry -h www.google.co.in -w 90 -c 60
      

      If still facing issue. I need help from your side also.

      Run the command in this way , use -x as argument for debuging the bash script-

      ./check_ssl_cert_expiry -x -h www.google.co.in -w 90 -c 60
      

      Send the output to me. I will take a look.
      Need bash version also

      rpm -qa|grep bash
      

      Thanks and Regards
      Sharad

    2. I just recheck the plugin my new server, it is working. But if still you are facing the problem, kindly report me again. I seriously want to troubleshoot this plugin for improvisation.

      [root@sharad ~]# ./check_ssl_cert_expiry -h google.com -w 60 -c 10
      OK: 77 days are left for SSL Certificate Expiration on Host google.com
      [root@sharad ~]#
      

      Regards
      Sharad

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.