Check for SSL Cert expiring

Zerant · (This post was last modified: 01-25-2019, 06:08 AM by Zerant.)

Hey,

I added a check to my NEMS to check how long my SSL Certs are valid.
Its pretty useful if you are using Letsencrypt and dont have automated renews or even to see if a automated renew is working

This is the check I use
https://exchange.nagios.org/directory/Pl...rt/details

this is the command:

define command {
command_name check_ssl_cert
command_line $USER1$/check_ssl_cert -H $HOSTADDRESS$ -p $ARG1$ -w $ARG2$ -c $ARG3$
}

ARG1=SSL Port
ARG2=days remaining [warn]
ARG3=days remaining [crit]

For the Advanced Service:

advanced service name: SSL validation
service description: SSL validation

check period: 24x7
notification period: 24x7

service template(s): generic-service

ARG1: 443
ARG2: 30
ARG3: 15

Best,
Zerant

***Robbie Ferguson*** · 01-25-2019, 03:02 PM

That's fine, but why not just use the included check_http?

***Robbie Ferguson*** · 01-25-2019, 03:03 PM

-- that said, I'll put this on the to do list just cause maybe it'd be easier for novice users to have this already pre-configured. I'll review it and see if there's any advantage over check_http, which already offers ssl checking.

Zerant · 01-25-2019, 05:16 PM

yes it does, but only if SSL is reachable not how long the cert is valid:

SSL_CERT OK - x509 certificate 'DOMAINNAME' from 'Let's Encrypt Authority X3' valid until Apr 10 10:48:48 2019 GMT (expires in 74 days)

***Robbie Ferguson*** · 02-05-2019, 09:06 PM

That's incorrect. As per the docs at https://docs.nemslinux.com/check_commands/check_http

Check the state of the hosts SSL certificate and treat as a problem if it expires in 30 days or less:

-C 30

That said, I do see value in including a check command specifically for the purpose. I am just pointing out that the functionality is already there, so it's not really necessary.