Checking SSL Certificate Expiry

A check_mk local script for checking SSL Certificate expiry. This script should work for all domain TLDs but let me know if you find any issues!

The way that I use this script, rather than it being called as a local check and export to a text file – You can then use a Check_MK local check to ‘cat’ this file to confirm it has the most up to date version of this file.

Firstly, the script to pull the domain expiry status:

nano /scripts/check-ssl-expiry

#!/bin/bash

SSL=”www.domain1.com
www.domain2.com
www.domain3.com”

rm -rf /tmp/domain-ssl*

for i in $SSL
do

x=$(echo | openssl s_client -servername $i -connect “$i”:443 2>/dev/null | openssl x509 -noout -dates | grep “notAfter” | sed ‘s/.*=//’)
j=$(echo | openssl s_client -servername $i -connect “$i”:443 2>/dev/null | openssl x509 -noout -dates | grep “notBefore” | sed ‘s/.*=//’)
d=$(date -d “$x” +”%Y%m%d”)
e=$(date +”%Y%m%d”)

g=$(( ( $(date -ud $d +’%s’) – $(date -ud $e +’%s’) )/60/60/24 ))

if [ “$g” -gt “6” ]; then
s=0
st=”SSL certificate for $i (Issued $j) has $g days left until Expiry (Expiry Date: $x).”
fi

if [ “$g” -lt “6” ]; then
s=1
st=”SSL certificate for $i (Issued $j) has $g days left until Expiry (Expiry Date: $x).”
fi

if [ “$g” -lt “5” ]; then
r=$(whois $i | grep “Registrar:”)
s=2
st=”SSL certificate for $i (Issued $j) has $g days left until Expiry (Expiry Date: $x).”
fi

if [ “$g” -lt “0” ]; then
s=2
st=”SSL certificate $i has expired!”
fi

echo “$s SSL_$i count=$g;15;30;0; $st” >> /tmp/domain-ssl-$e.txt

done

chmod +x /scripts/check-ssl-expiry

If you run this script when you have entered your domains, it should create a new .txt file in the /tmp/ directory with the date in it. We will now need to make a check_mk local check to cat this file so that it can be picked up by your check_mk server.

nano /usr/share/check-mk-agent/local/check-ssl-check

#!/bin/bash

e=$(date +”%Y%m%d”)

cat /tmp/domain-ssl-$e.txt

chmod +x /usr/share/check-mk-agent/local/check-ssl-check

If you now re-inventory your host in check_mk it should pull through a local check for each of your domains.

Don’t forget to add an entry into crontab for the /script/check-ssl-expiry (I normally run this at 00:01 each day)

Any comments or questions? Get in touch here or Email me at [email protected]