2010-12-21
SSL certificates are one of the more com ...
SSL certificates are one of the more complicated things to keep an eye on: they work fine for 1, 2 or 3 years and suddenly all your users get confronted with very weird errors (which you want to be an error). So this is an ideal candidate for monitoring in zabbix. It is not a check which has to be done every 5 minutes, but even at every 12 hours (the zabbix maximum) I can get enough advance warning about a certificate which is going to expire. Using an external check and a simple script:#!/usr/bin/perl -w use strict; use Date::Parse; my ($host,$port) = ($ARGV[0],$ARGV[1]); open(SSLINFO,"echo \"\" | openssl s_client -connect $host:$port 2>/dev/null | openssl x509 -enddate -noout 2>/dev/null |"); my $expiry=0; while (<SSLINFO>){ if (/^notAfter=(.+)\n$/){ $expiry=str2time($1); } } if ($expiry>0){ printf "%d\n",($expiry-time())/86400; } else { print "0\n"; }The port as parameter allows me to define multiple items, one for https and one for ldaps. The SSL on port 443 check calls external check ssl-expiry-left.monitor[443] which results in a call to /etc/zabbix/externalscripts/ssl-expiry-left.monitor server.dns.name 443. The first call to openssl is to connect to the service and request the certificate and the second one is to parse the certificate and fetch the enddate from the certificate.I first tried to do this in seconds but three years worth of seconds gave problems. So all value fetching and testing had to be adjusted to work in days. We want an alert when there are less than 30 days left.
Interesting in the result display was that the expiry for some really fresh certificates is displayed as '1.06 kDays' (for 1060 days).