The way that I use this script, rather than it being called as a local check and export to a text file – You can then use a Check_MK local check to ‘cat’ this file to confirm it has the most up to date version of this file.
Firstly, the script to pull the domain expiry status:
nano /scripts/check-ssl-expiry
#!/bin/bash
SSL=”www.domain1.com
www.domain2.com
www.domain3.com”
rm -rf /tmp/domain-ssl*
for i in $SSL
do
x=$(echo | openssl s_client -servername $i -connect “$i”:443 2>/dev/null | openssl x509 -noout -dates | grep “notAfter” | sed ‘s/.*=//’)
j=$(echo | openssl s_client -servername $i -connect “$i”:443 2>/dev/null | openssl x509 -noout -dates | grep “notBefore” | sed ‘s/.*=//’)
d=$(date -d “$x” +”%Y%m%d”)
e=$(date +”%Y%m%d”)
g=$(( ( $(date -ud $d +’%s’) – $(date -ud $e +’%s’) )/60/60/24 ))
if [ “$g” -gt “6” ]; then
s=0
st=”SSL certificate for $i (Issued $j) has $g days left until Expiry (Expiry Date: $x).”
fi
if [ “$g” -lt “6” ]; then
s=1
st=”SSL certificate for $i (Issued $j) has $g days left until Expiry (Expiry Date: $x).”
fi
if [ “$g” -lt “5” ]; then
r=$(whois $i | grep “Registrar:”)
s=2
st=”SSL certificate for $i (Issued $j) has $g days left until Expiry (Expiry Date: $x).”
fi
if [ “$g” -lt “0” ]; then
s=2
st=”SSL certificate $i has expired!”
fi
echo “$s SSL_$i count=$g;15;30;0; $st” >> /tmp/domain-ssl-$e.txt
done
chmod +x /scripts/check-ssl-expiry
If you run this script when you have entered your domains, it should create a new .txt file in the /tmp/ directory with the date in it. We will now need to make a check_mk local check to cat this file so that it can be picked up by your check_mk server.
nano /usr/share/check-mk-agent/local/check-ssl-check
#!/bin/bash
e=$(date +”%Y%m%d”)
cat /tmp/domain-ssl-$e.txt
chmod +x /usr/share/check-mk-agent/local/check-ssl-check
If you now re-inventory your host in check_mk it should pull through a local check for each of your domains.
Don’t forget to add an entry into crontab for the /script/check-ssl-expiry (I normally run this at 00:01 each day)