Nagios has the ability to monitor SSL certificates for expiration. Here’s how to do it:
Steps for Nagios to Monitor SSL Certs
Download the check_ssl_certificate plugin from the nagios exchange site
Update:A better / updated version of the plugin is available for download here ( it is mentioned on previously mentioned nagios plugins page )
Installation:
Edit the script, replacing the line:
use lib "/usr/lib64/nagios/plugins";
with the path to your nagios plugins directory (where utils.pm is located). For me on Ubuntu 10.04 this was
use lib "/usr/lib/nagios/plugins";
Also edit the line:
my $openssl = "/usr/bin/openssl";
with the path to your openssl binary. Then copy the script into your nagios plugins directory, for Ubuntu 10.04 it was
/usr/lib/nagios/plugins
I also updated line 155 – 158 of the script, because it has a bug that allows expired certificates to show up as passing:
if ($daysLeft < 0) {
print "$PROGNAME: CRITICAL - $cn expired " . abs($daysLeft) . " day(s) ago.\n";
exit $ERRORS{'CRITICAL'};
} elsif ($daysLeft <= $critical) {
The key part is adding in this line:
exit $ERRORS{'CRITICAL'};
To monitor a site, you will need to set up a configuration, using something like this (edit to suit your needs):
define command {
command_name check_ssl_certificate
command_line /usr/lib/nagios/plugins/check_ssl_certificate -H $HOSTNAME$
}
define service{
use generic-service
host_name www.yoursite.com
service_description check ssl
check_command check_ssl_certificate
contact_groups admins
}
