Oct 24, 2009 9:50 AM
Can Zenoss monitor ssl cert expiration and domain name expiration?
-
Like (0)
I am hoping we can use zenoss to monitor our SSL webservers (or other ssl cert enabled services) for expiration, we'd also like to have domain names in Zenoss so they can be monitored for expiration dates.
Is this currently possible? If there's not a way or a zenpack for it, I'll work with my developer at work to create a zenpack for it.
What you are looking for can be found here:
http://dev01.iwillfearnoevil.com:90/transfer/check_certs.sh
I did not write this, but it works very well... Unfortunately, I striped out all of the information on who did write it, and dont have a copy in my cvs any longer.. ( I REALLY wish I could find the creator, as this is a great script!, gotta give credit where it is due)
Dont forget that this will need OpenSSL so it can examine the certificate.
Usage: ./check_certs.sh [ -e email address ] [ -x days ] [-q] [-a] [-b] [-h] [-i] [-n] [-v]
{ [ -s common_name ] && [ -p port] } || { [ -f cert_file ] } || { [ -c certificate file ] }
-a : Send a warning message through E-mail
-b : Will not print header
-c cert file : Print the expiration date for the PEM or PKCS12 formatted certificate in cert file
-e E-mail address : E-mail address to send expiration notices
-f cert file : File with a list of FQDNs and ports
-h : Print this screen
-i : Print the issuer of the certificate
-k password : PKCS12 file password
-n : Run as a Nagios plugin
-p port : Port to connect to (interactive mode)
-s commmon name : Server to connect to (interactive mode)
-q : Don't print anything on the console
-v : Only print validation data
-x days : Certificate expiration interval (eg. if cert_date < days)
[chubbard@dev01 transfer]# ./check_certs.sh -x 600 -n -p 443 -s www.amazon.com
www.amazon.com:443 Expiring Jul 30 2010 279
As for the other half of your request, a very basic script can be written for that
@dev01 transfer]# whois iwillfearnoevil.com | grep -i expire | awk -F':' '{print $2}'
06-Jul-11
We use that script run via cron. I think it's called check_ssl now.
I guess I could import that script, with some customizations, into Zenoss and use that to monitor our SSL certs expiration.
That's what I was thinking, Warning at 30 days, critical when expired.
I believe that it would work correctly for doing this. Since it is a nagios style return, warn when less than x's value, and critical when expired. I am not sure you would have to do any changes at all
I will test now, and let you know if that is how it behaves..
Ok, that was how the script behaved, however it did not return useful information back into Zenoss for how long until expiration. I have changed the code a bit and here is what it now returns :
./check_certs.sh -x 500 -n -s speakeasy.net -p 443
Status Expiring in 444 days. | speakeasy.net 443 Expiring Jan 13 23:59:59 2011 GMT Days=444 :
dont forget that the -x ### is for when you want it to alarm in days. If you want 30 days, put in 30.
Zenoss shows this as a major alarm, for /cmd/fail (adjustable) and the status message in the Event Viewer says "Status Expiring in 444 days."
You are more than welcome to use this new version, I threw it up on the server as http://dev01.iwillfearnoevil.com:90/transfer/check_certs_Nagios.sh
I dont know if you are aware or not, but this script does have a small bug in it. If SSL fails to find a cert (or retrieve it) it can hang for an extened period of time..
You will want to debug each domain by hand once to make sure that it behaves.
I also wrote a quick and dirty domain expiration check.
http://dev01.iwillfearnoevil.com:90/transfer/check_domain.sh
use: ./check_domain.sh domain.name threshhold as integer.
Output: OK retval 0, warning retval 1, critical retval 2
guyver-barn ~/Projects $ ./check_domain.sh yahoo.com 800
Status OK Expires in 13 days from threshold | days=13 hours=6
Here is an error:
./check_domain.sh iwillfearnoevil.com 700
Status Warn Domain iwillfearnoevil.com 82 days past threshold | days=82 hours=18
I tested this on several domains, but YMMV.
works on Netsol, godaddy, uk domains registarrs.
It will give you an error with a Nagios retval if it cannot get the domain information in a readable fashion.
ack apologies, tracked this on the crackberry
thanks guy!
thanks for your work guyverix. is it possible for you to export your setup as a zenpack to share it?
thanks in advance!
Sure. I will get that started tonight. I am still very much a N00b when it comes to ZenPacks however, so I will for safety's sake make the Device class /device/ping/External for external host checking. It seems like a logical home for it. Any Devices in this directory will NOT be ping checked however. Since external partners and root domains sometimes kill ICMP. Local zProperties to enable Ping on a case by case basis would make the most sense in my mind.
LMK if this will work for you
Here you go. Zenpack.Iwillfearnoevil.Domain Grin, so my humor is perverse..
Following the dev guide I could not make this ZenPack work correctly.. Grrr.. The Nagios scripts are included, but you will have to COPY them to the /usr/local/zenoss/common/libexec folder, and make sure they are owned by zenoss, and chmodded to 755. If you look in the ZenPacks details, it will show the path to where they are located.
I have also found out the hard way that Ubuntu changed their whois package. I installed it and had SERIOUS reply time issues. Whois is not even installed on the server version by default either??
Due to this in my testing, the plugin for domain expiration was timing out. I have added a line into the code for jwhois. This is included in the Ubuntu repository, it also caches the results locally so you will not have to query whois servers as often. So, apt-get install jwhois as root to install it...
I have left the jwhois query active in check_domain.sh. This means RedHat, CentOS, and others who use the normal whois will have to comment out line 45, and uncomment line 43.
The normal whois works as you would expect in Redhat (where I wrote the script) as well as its children (centOS, etc) It only appears that Ubuntu server needs a different one. (dorks). I do not know off the top of my head if jwhois is available for RH and Centos in the repos, but if so I would recommend using that as well. It will lower the contstant calls to whois.internic. (also no changes are needed for the script then)
This ZenPack will create /Devices/Ping/Domain as well as /Devices/Ping/Domain/SSL
Since characteristics are inherited, I figured this would be a better way to isolate domain checks that dont necessairly have SSL from SSL enabled domains.
Ping checks have been disabled for both Domain and SSL
Both do show a boring countdown graph to doomsday.. Grin.. Counts are in days, the Nagios threshold is set for 30 days warning at this time. If you want other thresholds, you could build them out in the templates area in the normal fashion.
If you do happen to find registars who do not follow normal whois conventions with their data return values, let me know, and I will revise the check_domain.sh script.
Follow Us On Twitter »
|
Latest from the Zenoss Blog » | Community | Products | Services Resources | Customers Partners | About Us | ||
Copyright © 2005-2011 Zenoss, Inc.
|
||||||||