I have to monitor the expiration of some SSL Certificates and was making some tests with heartbeat.
I know that if you have a http monitor using ssl and the ca certificate you will be able to have the expiration date of the certificate on the field tls.certificate_not_valid_after, something like that:
But I would need to have the CA certificate file on the server, I was wondering if it is possible to have a monitor that works like the check_http plugin from nagios, where you pass the site as a parameter and it returns the expiration date.
I want to get the expiration date of a site certificate, today I'm using a nagios plugin for it where I pass the site as a parameter, like below
[user@server plugins]$ ./check_http -H site.com --ssl --sni -C 90
SSL OK - Certificate 'site.com' will expire in 527 days on 2020-08-08 16:42 -0300/-03.
This brings me the expiration date of the certificate, and will mark as a WARNING if the date is less then 90, because of the parameter -C 90.
I do not need to have the certificate of site.com to do it.
I was planning to do the same with heartbeat, but if I do not have the site certificate on my machine and configured on the monitor, it will give me an error.
So, this is possible, but it's a bit different of a strategy.
My concern with marking a site down when its cert expires in X days is that it's not down yet.
The reason we built this without this feature is that you can query for sites expiring in X days using Elasticsearch or watcher. There's no need to hardcode that info in config files.
In the future, we'd like to make alerting on that condition easy using the new uptime UI, but we're not quite there yet.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.