Archived community.zenoss.org | full text search
Skip navigation
1 2 3 4 Previous Next 343480 Views 54 Replies Latest reply: Oct 11, 2013 8:25 PM by guyverix RSS
unixsamurai Rank: White Belt 42 posts since
Dec 10, 2007
Currently Being Moderated

Oct 24, 2009 9:50 AM

Can Zenoss monitor ssl cert expiration and domain name expiration?

I am hoping we can use zenoss to monitor our SSL webservers (or other ssl cert enabled services) for expiration, we'd also like to have domain names in Zenoss so they can be monitored for expiration dates.

 

Is this currently possible? If there's not a way or a zenpack for it, I'll work with my developer at work to create a zenpack for it.

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007

    What you are looking for can be found here:

     

    http://dev01.iwillfearnoevil.com:90/transfer/check_certs.sh

     

     

     

    I did not write this, but it works very well...  Unfortunately, I striped out all of the information on who did write it, and dont have a copy in my cvs any longer..  ( I REALLY wish I could find the creator, as this is a great script!, gotta give credit where it is due)

     

    Dont forget that this will need OpenSSL so it can examine the certificate.

     

    Usage: ./check_certs.sh [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]
           { [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }

     

      -a                : Send a warning message through E-mail
      -b                : Will not print header
      -c cert file      : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
      -e E-mail address : E-mail address to send expiration notices
      -f cert file      : File with a list of FQDNs and ports
      -h                : Print this screen
      -i                : Print the issuer of the certificate
      -k password       : PKCS12 file password
      -n                : Run as a Nagios plugin
      -p port           : Port to connect to (interactive mode)
      -s commmon name   : Server to connect to (interactive mode)
      -q                : Don't print anything on the console
      -v                : Only print validation data
      -x days           : Certificate expiration interval (eg. if cert_date < days)

     

    [chubbard@dev01 transfer]# ./check_certs.sh -x 600 -n -p 443 -s www.amazon.com
    www.amazon.com:443                              Expiring     Jul 30 2010  279

     

    As for the other half of your request, a very basic script can be written for that

     

    @dev01 transfer]# whois iwillfearnoevil.com | grep -i expire | awk -F':' '{print $2}'
    06-Jul-11

  • mshundal Rank: Green Belt 116 posts since
    Jul 21, 2008
    looks good but kind of incomplete, would be great to have some sort of alerts based on any certs or domains expiring in 30 days or less.
  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007

    I believe that it would work correctly for doing this.  Since it is a nagios style return, warn when less than x's value, and critical when expired.  I am not sure you would have to do any changes at all

     

    I will test now, and let you know if that is how it behaves..

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007

    Ok, that was how the script behaved, however it did not return useful information back into Zenoss for how long until expiration.  I have changed the code a bit and here is what it now returns :

     

    ./check_certs.sh -x 500 -n -s speakeasy.net -p 443
    Status Expiring in 444 days. | speakeasy.net 443 Expiring Jan 13 23:59:59 2011 GMT Days=444 :

     

     

    dont forget that the -x ### is for when you want it to alarm in days.  If you want 30 days, put in 30.

     

    Zenoss shows this as a major alarm, for /cmd/fail (adjustable) and the status message in the Event Viewer says "Status Expiring in 444 days."

     

    You are more than welcome to use this new version, I threw it up on the server as http://dev01.iwillfearnoevil.com:90/transfer/check_certs_Nagios.sh

     

    I dont know if you are aware or not, but this script does have a small bug in it.  If SSL fails to find a cert (or retrieve it) it can hang for an extened period of time..

    You will want to debug each domain by hand once to make sure that it behaves.

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007

    I also wrote a quick and dirty domain expiration check.

     

    http://dev01.iwillfearnoevil.com:90/transfer/check_domain.sh

     

    use: ./check_domain.sh domain.name threshhold as integer.

     

    Output: OK retval 0, warning retval 1, critical retval 2

     

    guyver-barn ~/Projects $ ./check_domain.sh yahoo.com 800
    Status OK Expires in 13 days from threshold | days=13 hours=6

     

    Here is an error:

    ./check_domain.sh iwillfearnoevil.com 700
    Status Warn Domain iwillfearnoevil.com 82 days past threshold | days=82 hours=18

     

    I tested this on several domains, but YMMV.

    works on Netsol, godaddy, uk domains registarrs.

    It will give you an error with a Nagios retval if it cannot get the domain information in a readable fashion.

  • mshundal Rank: Green Belt 116 posts since
    Jul 21, 2008
    nice, i was thinking of piping the output to  parser to get an integer value and map the events accordingly to generate a warning at 30, error at 10 days remaining before expiration or critical at expired. thanks for sharing your work unixsamurai; much appreciated
  • mshundal Rank: Green Belt 116 posts since
    Jul 21, 2008

    ack apologies, tracked this on the crackberry

     

    thanks guy!

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007
    No problem!  It was fun to code that.. It was finally in a language I am more comfortable in, rather than Python..  Grin
  • zenboy Newbie 1 posts since
    Oct 27, 2009

    thanks for your work guyverix. is it possible for you to export your setup as a zenpack to share it?

     

    thanks in advance!

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007

    Sure.  I will get that started tonight.  I am still very much a N00b when it comes to ZenPacks however, so I will for safety's sake make the Device class /device/ping/External for external host checking.  It seems like a logical home for it.  Any Devices in this directory will NOT be ping checked however.  Since external partners and root domains sometimes kill ICMP.  Local zProperties to enable Ping on a case by case basis would make the most sense in my mind.

     

    LMK if this will work for you

  • guyverix ZenossMaster 846 posts since
    Jul 10, 2007

    Here you go.  Zenpack.Iwillfearnoevil.Domain  Grin, so my humor is perverse..

     

    Following the dev guide I could not make this ZenPack work correctly.. Grrr..  The Nagios scripts are included, but you will have to COPY them to the /usr/local/zenoss/common/libexec folder, and make sure they are owned by zenoss, and chmodded to 755.  If you look in the ZenPacks details, it will show the path to where they are located.

     

    I have also found out the hard way that Ubuntu changed their whois package. I installed it and had SERIOUS reply time issues. Whois is not even installed on the server version by default either??

     

    Due to this in my testing, the plugin for domain expiration was timing out.  I have added a line into the code for jwhois.  This is included in the Ubuntu repository, it also caches the results locally so you will not have to query whois servers as often. So, apt-get install jwhois as root to install it...

     

    I have left the jwhois query active in check_domain.sh.  This means RedHat, CentOS, and others who use the normal whois will have to comment out line 45, and uncomment line 43.

     

    The normal whois works as you would expect in Redhat (where I wrote the script) as well as its children (centOS, etc)  It only appears that Ubuntu server needs a different one. (dorks).  I do not know off the top of my head if jwhois is available for RH and Centos in the repos, but if so I would recommend using that as well.  It will lower the contstant calls to whois.internic.  (also no changes are needed for the script then)

     

    This ZenPack will create /Devices/Ping/Domain  as well as /Devices/Ping/Domain/SSL

    Since characteristics are inherited, I figured this would be a better way to isolate domain checks that dont necessairly have SSL from SSL enabled domains.

    Ping checks have been disabled for both Domain and SSL

    Both do show a boring countdown graph to doomsday.. Grin..  Counts are in days, the Nagios threshold is set for 30 days warning at this time.  If you want other thresholds, you could build them out in the templates area in the normal fashion.

     

    If you do happen to find registars who do not follow normal whois conventions with their data return values, let me know, and I will revise the check_domain.sh script.

1 2 3 4 Previous Next

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points