SSL certificates are one of the more com ... / 2010-12-21

2010-12-21 SSL certificates are one of the more com ...
SSL certificates are one of the more complicated things to keep an eye on: they work fine for 1, 2 or 3 years and suddenly all your users get confronted with very weird errors (which you want to be an error). So this is an ideal candidate for monitoring in zabbix. It is not a check which has to be done every 5 minutes, but even at every 12 hours (the zabbix maximum) I can get enough advance warning about a certificate which is going to expire. Using an external check and a simple script:
#!/usr/bin/perl -w

use strict;
use Date::Parse;

my ($host,$port) = ($ARGV[0],$ARGV[1]);

open(SSLINFO,"echo \"\" | openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -enddate -noout 2>/dev/null |");

my $expiry=0;

while (<SSLINFO>){
        if (/^notAfter=(.+)\n$/){

if ($expiry>0){
        printf "%d\n",($expiry-time())/86400;
} else {
        print "0\n";
The port as parameter allows me to define multiple items, one for https and one for ldaps. The SSL on port 443 check calls external check ssl-expiry-left.monitor[443] which results in a call to /etc/zabbix/externalscripts/ssl-expiry-left.monitor 443. The first call to openssl is to connect to the service and request the certificate and the second one is to parse the certificate and fetch the enddate from the certificate.

I first tried to do this in seconds but three years worth of seconds gave problems. So all value fetching and testing had to be adjusted to work in days. We want an alert when there are less than 30 days left.

Interesting in the result display was that the expiry for some really fresh certificates is displayed as '1.06 kDays' (for 1060 days).

Tags: , ,

IPv6 check

Running test...
, reachable as PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.58 2022/12/12 15:34:31 koos Exp $ in 0.007617 seconds.