I updated the zabbix ssl certificate tes ... / 2012-12-18

I updated the zabbix ssl certificate test script to be able to use starttls services and did some other changes (tests work better in days left). Current version which can also check for smtp tls and returns the certificate time left in days which makes for easier checks:

#!/usr/bin/perl -w

# monitor the number of days left on the SSL certificate on a publicly
# reachable service
#
# usage in zabbix, create an item in a template
# - Type: External check
# - Key:  ssl-expiry-left.monitor[443]
#   change this for other services and use ssl-expiry-left.monitor[587,"-smtp"]
#   for smtp+tls. Yes, you will need to set up a separate item (/template)
#   for each ssl port combination
# - Type of information: Numeric (unsigned)
# - Data type: Decimal
# - Units: Days
# - Update interval (in sec): 43200
# - Application: SSL+service
#
# possible trigger values:
#
# 0: certificate already expired or invalid or not retrievable
# 
# you can add tests for less than 30 or 60 days left

use strict;
use Date::Parse;

my $protoadd="";

if (defined $ARGV[2]){
        if ($ARGV[2] eq "-smtp"){
                $protoadd="-starttls smtp ";
        }
}

my ($host,$port) = ($ARGV[0],$ARGV[1]);

open(SSLINFO,"echo \"\" | openssl s_client -connect $host:$port $protoadd 2>/dev/null | openssl x509 -enddate -noout 2>/dev/null |");

my $expiry=0;

while (<SSLINFO>){
        if (/^notAfter=(.+)\n$/){
                $expiry=str2time($1);
        }
}

if ($expiry>0){
        my $daysleft=($expiry-time())/86400;
        printf "%d\n",$daysleft>=0?$daysleft:0;
} else {
        print "0\n";
}

Assumes a reasonably recent openssl.

And yes, this script has helped me avoid embarrasment over expired certificates.