Monitoring multiple SSL certificates on a single host using Nagios XI

I was recently looking to monitor multiple SSL certificates on a host for multiple network services, to which Nagios appeared to have a limitation within the ‘check_xi_service_http_cert’ check command  to which it can only monitor a single SSL certificate per monitored host. 

I therefore created a powershell script to allow for multiple certificates to be monitored based on the port number used for the network service and return the expiry date of the SSL certificate to generate a service status.

The script is dependent on two parameters, one to retrieve the host name (where by default this retrieves the local host FQDN) and a mandatory parameter for the port number.

Param ([string] $URL= ([System.Net.Dns]::GetHostByName(($env:computerName))).HostName, [parameter(Mandatory =$true)][string] $Port) 

Once we have specified the parameters required we will initiate a client connection to the TCP network service by invoking the ‘System.Net.Sockets.TcpClient’ class.

$TCPClient = New-Object System.Net.Sockets.TcpClient($URL,$Port) 

Once the client connection has been generated, we will provide a stream  for client-server communication that uses the Secure Socket Layer (SSL) security protocol to authenticate the server and optionally the client.

$SSLStream = New-Object System.Net.Security.SslStream($TCPClient.GetStream())
$SSLStream.AuthenticateAsClient($URL) 

This will now allow for the expiration date of the certificate used to authenticate the remote endpoint to be retrieved, and store this as a variable to compare in the conditional logic to determine the service status.

$Certificate = $SSLStream.Get_RemoteCertificate()
$Expiry = [datetime]::Parse($Certificate.GetExpirationDatestring())

Now we will use conditional logic to compare the expiry date to a date in the future from the current date and use the following criteria.

  • If the the expiry date is less than 30 days in future report the service status as ‘OK’
  • If the expiry date is greater or equal to 7 days in the future report the service status as ‘Critical’
  • If the expiry date is greater or equal to 30 days in the future report the service status as ‘Warning’
If (((Get-Date).AddDays(30)) -lt $Expiry)
    { 
    "OK - Certificate will expire on " + $Expiry.ToString("dd/MM/yyyy HH:mm") 
    $returncode = "0" 
    } 
    
ElseIf (((Get-Date).AddDays(7)) -ge $Expiry)
    { 
    "Critical - Certificate will expire on " + $Expiry.ToString("dd/MM/yyyy HH:mm") 
    $returncode = "2" 
    } 
    
ElseIf (((Get-Date).AddDays(30)) -ge $Expiry)
    { 
    "Warning - Certificate will expire on " + $Expiry.ToString("dd/MM/yyyy HH:mm") 
    $returncode = "1" 
    } 

Once the service status has been determined, the powershell session will exist returning an exit code.

exit $returncode

Once you have configured the external script to run within Nagios (http://wp.me/p15Mdc-eC), you will be able to monitor multiple SSL certificate expiration’s on a single host. Alternatively, you can invoke the script from the powershell console as below:

./Check-SSLCertificates.ps1 -URL server.domain.local -Port 443
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s