{"id":4468,"date":"2019-10-20T13:35:09","date_gmt":"2019-10-20T10:35:09","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4468"},"modified":"2024-03-12T22:06:00","modified_gmt":"2024-03-12T19:06:00","slug":"monitor-ssl-tls-certificates-expiry-with-nagios","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/monitor-ssl-tls-certificates-expiry-with-nagios\/","title":{"rendered":"Monitor SSL\/TLS Certificates Expiry with Nagios"},"content":{"rendered":"\n<p>Well, assuming you understand the <a rel=\"noreferrer noopener\" aria-label=\"implications of the expired SSL\/TLS certificates, (opens in a new tab)\" href=\"https:\/\/comodosslstore.com\/blog\/hazards-of-an-expired-ssl-certificate.html\" target=\"_blank\">implications of the expired SSL\/TLS certificates,<\/a> let us go through how to monitor SSL\/TLS Certificates Expiry with Nagios. Nagios provides SSL Certificate monitoring and alerting when SSL certificates expiration date draws closer using the Nagios Plugins.<\/p>\n\n\n\n<p>Before you can proceed, install and setup Nagios server. Follow the links below to setup Nagios server on your desired system.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-nagios-server-on-centos-8\/\" target=\"_blank\">Install Nagios Server on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-nagios-core-on-debian-10-buster\/\" target=\"_blank\">Install Nagios Core on Debian 10 Buster<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Monitoring SSL\/TLS Certificates Expiry with Nagios<\/h2>\n\n\n\n<p>Once your Nagios server is up and ready proceed to configure it to monitor your web servers SSL\/TLS certificates expiry.<\/p>\n\n\n\n<p><code><strong><a href=\"https:\/\/www.monitoring-plugins.org\/doc\/man\/check_http.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"check_http (opens in a new tab)\">check_http<\/a><\/strong><\/code>&nbsp;Nagios plugin is used to test the HTTP service on the specified host. It can test normal (http) and secure (https) servers, follow redirects, search for strings and regular expressions, check connection times, and report on certificate expiration times.<\/p>\n\n\n\n<p>Reporting on certificate expiration times is the main focus of this guide.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install Nagios Plugins<\/h3>\n\n\n\n<p>Nagios plugins provide the check_http plugin script. Below is a sample guide on how to install Nagios plugins on the Nagios server.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-nagios-plugins-from-source-rhel-centos-oracle-linux\/\">Install Nagios Plugins From Source RHEL\/CentOS\/Oracle Linux<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Add the Host to Nagios Server<\/h3>\n\n\n\n<p>Next, you need to add the host whose SSL\/TLS certificates is to be monitored to Nagios Server. See a sample guide below;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/add-hosts-to-nagios-server-for-monitoring\/\" target=\"_blank\">Add Hosts to Nagios Server For Monitoring<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Create Check_HTTP Command Object Definition<\/h3>\n\n\n\n<p>Create a command object definition that defines how to use the check_http command to monitor the SSL\/TLS certificates.<\/p>\n\n\n\n<p>If you compiled Nagios from the source, then create the command definition configuration on <code>\/usr\/local\/nagios\/etc\/objects<\/code>. You can also use your own custom sub-directory, like <code>\/usr\/local\/nagios\/etc\/objects\/kifarunix-demo<\/code>, for our case.<\/p>\n\n\n\n<p><strong>Be sure to replace PATHS accordingly.<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/local\/nagios\/etc\/objects\/kifarunix-demo\/commands.cfg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong># Check SSL\/TLS Certificate Expiry Command Definition<\/strong>\ndefine command{\n    command_name check_certs\n    command_line \/usr\/local\/nagios\/libexec\/check_http -S -I $HOSTADDRESS$ -p $ARG1$ -C $ARG2$\n}<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The command is named <code>check_certs<\/code> and will be called in the service definition using this name.<\/li>\n\n\n\n<li><code>\/usr\/local\/nagios\/libexec\/check_http<\/code> specifies the location of the Nagios script.<\/li>\n\n\n\n<li><code><strong>-S<\/strong><\/code> instructs the check_http plugin to check the SSL port which defaults to 443.<\/li>\n\n\n\n<li><code><strong>-I<\/strong><\/code> option specifies IP address or name of the host. You can as well use the <code>-H<\/code> option for hostname argument for servers using host headers (virtual host).<\/li>\n\n\n\n<li><strong><code>-p<\/code><\/strong> specifies port number to check. Useful if you want to check SSL for other ports ike SMTPS, IMAPS, POP3S<\/li>\n\n\n\n<li><strong><code>-C<\/code><\/strong> specifies the minimum number of days a certificate has to be valid.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Create Check_HTTP Service Object Definition<\/h3>\n\n\n\n<p>After creating the command object definition to check SSL certificate, proceed to define a service that calls the <code>check_certs<\/code> object defined above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/usr\/local\/nagios\/etc\/objects\/kifarunix-demo\/services.cfg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>define service{\n         use                 kifarunix-demo-service\n         host_name           web01.kifarunix-demo.com    \n         service_description HTTPS SSL Certificate\n         check_command       check_certs!443!10\n }<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The <code><strong>use<\/strong><\/code> statement defines the service template to use.<\/li>\n\n\n\n<li><strong><code>host_name<\/code><\/strong> specifies the host to check the SSL expiry against.<\/li>\n\n\n\n<li><strong><code>service_description<\/code><\/strong> is the description of the service name.<\/li>\n\n\n\n<li><strong><code>check_command<\/code><\/strong> specifies the name of the&nbsp;command&nbsp;that should be used to check&nbsp;SSL certificate as defined on the command definition above.<\/li>\n\n\n\n<li><strong>443<\/strong> is the SSL port to check. The value for the <strong><code>-p $ARG1$<\/code><\/strong>.<\/li>\n\n\n\n<li><strong><code>!10<\/code><\/strong> specifies the value of the <code><strong>-C $ARG2$<\/strong><\/code> in the command definition. Hence, you will receive notification 10 days to certificate expiry.<\/li>\n<\/ul>\n\n\n\n<p>If you need to monitor other ports like SMTPS, POPS, IMAPS, you can add such service definitions to your Service Object definition configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>define service{\n         use                 kifarunix-demo-service\n         host_name           mail.kifarunix-demo.com    \n         service_description SMTP SSL Certificate\n         check_command       check_certs!465!10\n }\ndefine service{\n         use                 kifarunix-demo-service\n         host_name           mail.kifarunix-demo.com    \n         service_description SMTP TLS Certificate\n         check_command       check_certs!587!10\n }\ndefine service{\n         use                 kifarunix-demo-service\n         host_name           mail.kifarunix-demo.com    \n         service_description IMAPS Certificate\n         check_command       check_certs!993!10\n }\ndefine service{\n         use                 kifarunix-demo-service\n         host_name           mail.kifarunix-demo.com    \n         service_description POP3 SSL Certificate\n         check_command       check_certs!995!10\n }<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify Nagios Configuration<\/h3>\n\n\n\n<p>It is a wise idea to check Nagios configuration of syntax errors everytime you make changes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/local\/nagios\/bin\/nagios -v \/usr\/local\/nagios\/etc\/nagios.cfg<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\nTotal Warnings: 0\nTotal Errors:   0\n\nThings look okay - No serious problems were detected during the pre-flight check<\/code><\/pre>\n\n\n\n<p>If there are no errors, restart Nagios service.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart nagios<\/code><\/pre>\n\n\n\n<p>Verify the SSL checks from command line;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/local\/nagios\/libexec\/check_http -I web01.kifarunix-demo.com -p 443 -C 10<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>SSL OK - Certificate '*.kifarunix-demo.com' will expire on 2020-10-18 08:21 -0400\/EDT. HTTP OK: HTTP\/1.1 200 OK - 303 bytes in 0.025 second response time |time=0.025159s;;;0.000000 size=303B;;;0<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/local\/nagios\/libexec\/check_http -I mail.kifarunix-demo.com -p 465 -C 20<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>SSL WARNING - Certificate 'mx01.kifarunix-demo.com' expires in 12 day(s) (2019-11-08 23:14 +0000\/EDT).<\/code><\/pre>\n\n\n\n<p>You can also Navigate to Nagios web interface to verify the SSL checks.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><a href=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/check-ssl.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1146\" height=\"321\" src=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/check-ssl.png\" alt=\"Monitor SSL\/TLS Certificates Expiry with Nagios\" class=\"wp-image-4483\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/check-ssl.png?v=1571567426 1146w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/10\/check-ssl-768x215.png?v=1571567426 768w\" sizes=\"(max-width: 1146px) 100vw, 1146px\" \/><\/a><\/figure>\n\n\n\n<p>There you go. You will now be notified when you SSL\/TLS certificate expiry date is 10 days or below.<\/p>\n\n\n\n<p>Want to be notified via Email? Follow the link below to learn how to configure Nagios email notification using Gmail.<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/configure-nagios-email-notification-using-gmail\/\" target=\"_blank\" rel=\"noreferrer noopener\">Configure Nagios Email Notification Using Gmail<\/a><\/p>\n\n\n\n<p>See other Nagios guides by following the links below;<\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/monitor-linux-hosts-using-nagios-check_by_ssh-plugin\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Monitor Linux Hosts using Nagios check_by_ssh Plugin<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Well, assuming you understand the implications of the expired SSL\/TLS certificates, let us go through how to monitor SSL\/TLS Certificates Expiry with Nagios. Nagios provides<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,72,73],"tags":[1167,1639,76,145,1165,1166],"class_list":["post-4468","post","type-post","status-publish","format-standard","hentry","category-howtos","category-monitoring","category-nagios","tag-check_http","tag-monitor-ssl-certificate-expiry-with-nagios","tag-nagios-core","tag-nagios-monitoring","tag-nagios-ssl-monitoring","tag-ssl-tls-certificates","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4468"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4468"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4468\/revisions"}],"predecessor-version":[{"id":21218,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4468\/revisions\/21218"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}