best plugin for checking ssl cert expiry

This forum was archived to /woltlab and is now in read-only mode.
  • '/usr/lib64/nagios/plugins/check_http' '-C' '15,30' '-I' '11.30.10.14' '-S' '-p' '443'


    SSL OK - Certificate 'localhost' will expire on 2018-12-14 02:20 +0000/UTC. HTTP WARNING: HTTP/1.1 404 Not Found - 226 bytes in 0.155 second response time |time=0.154910s;;;0.000000 size=226B;;;0


    Is there some way to suppress everything after "UTC"? i.e. how can I suppress the http warning?

  • Code
    1. /usr/lib64/nagios/plugins/check_http -V
    2. check_http v2.2 (monitoring-plugins 2.2)
    3. /usr/lib64/nagios/plugins/check_http -H monitoring-portal.org -S -C 15,30 -v
    4. SSL initialized
    5. OK - Certificate 'monitoring-portal.org' will expire on Mi 01 Jul 2020 23:59:59 GMT +0000.
  • Telling the binary to be verbose is not going to help. I do not want the http response. I do not want the body. I guess I need to write a wrapper.

    The post was edited 1 time, last by mrzog ().

  • Sorry, the '-v' was just an example to show the '-S' = SSL on 443.


    Code
    1. /usr/lib64/nagios/plugins/check_http -H monitoring-portal.org -S -C 15,30
    2. OK - Certificate 'monitoring-portal.org' will expire on Mi 01 Jul 2020 23:59:59 GMT +0000.


    Is your check_http a other version/output?

  • The version is not the problem. The problem is, the web server is not really designed to serve web pages. A proprietary http client (not a browser!) connects to this device at port 443.

  • Hmm. I'm not sure how to turn the above into Icinga2 syntax.

    I inherited a file: /etc/icinga2/zones.d/global-templates/global-commands.conf in which I'm guessing the config should go.


    object CheckCommand "check_otd_https" {

    import "plugin-check-command"


    command = [ PluginDir + "check_http" ] {


    arguments = {

    "-I" = "$address$"

    "-p" = "443"

    "-C" = "15,30"

  • I realized I needed to use the ssl template (which uses check_tcp).

    Using the right template makes all the difference in the world.

    Added this to a file /etc/icinga2/zones.d/global-templates/glob-srvcs.conf


    Code
    1. apply Service "HTTPS/443: DTD Cert Expiration" {
    2.   import "generic-service"
    3.   check_command = "ssl"
    4.   vars.ssl_cert_valid_days_warn = 30
    5.   vars.ssl_cert_valid_days_critical = 15
    6.   vars.check_ipv4 = true
    7.   vars.check_ipv6 = false
    8.   vars.timeout = 30
    9.   assign where host.vars.devtype == "dtd"
    10. }


    That's all it took!

  • I realized I needed to use the ssl template (which uses check_tcp).

    Using the right template makes all the difference in the world.

    Added this to a file /etc/icinga2/zones.d/global-templates/glob-srvcs.conf


    Code
    1. apply Service "HTTPS/443: DTD Cert Expiration" {
    2.   import "generic-service"
    3.   check_command = "ssl"
    4.   vars.ssl_cert_valid_days_warn = 30
    5.   vars.ssl_cert_valid_days_critical = 15
    6.   vars.check_ipv4 = true
    7.   vars.check_ipv6 = false
    8.   vars.timeout = 30
    9.   assign where host.vars.devtype == "dtd"
    10. }


    That's all it took!