Saturday 15 December 2018

Apache SSL Certificate expiry monitoring With Nagios



Nagios plugin “check_http” provides SSL Certificate monitoring to check certificates expiration dates and Nagios generate alerts when SSL certificates near their expiration date. So the same can renew their certificates before problems occur.
Most of the Nagios plugins are available in EPEL repository (Extra Packages for Enterprise Linux) for Cent OS 7 and RHEL.

Nagios Server: Centos/RHEL 6 (Compiled Nagios core installed)
Nagios client OS: Centos/ RHEL 7 (NRPE agent installed by Yum)

Step 1: Setup EPEL repository and install “check_http” Nagios plugin: Follow tutorial How to install EPEL repository on Centos7 and Run the following command to install the check_http nagios plugin if already not installed.


[root@linuxcnf-client ~]# yum install nagios-plugins-http
Loaded plugins: changelog, fastestmirror
……
Installed:
  nagios-plugins-http.x86_64 0:2.2.1-9git5c7eb5b9.el7

Complete!
[root@linuxcnf-client ~]#

Step 2: Configure NRPE: add the below line in NRPE configuration file in nagios client where SSL certificate is installed:

[root@linuxcnf-client ~]# vi /etc/nagios/nrpe.cfg
……
command[check_ssl_linuxcnf]=/usr/lib64/nagios/plugins/check_http -H www.linuxcnf.com -S --sni -C 30,14
[root@linuxcnf-client ~]#

Step 3: Run the following command to verify the command working status:
  
[root@linuxcnf-client ~]# /usr/lib64/nagios/plugins/check_http -H www.linuxcnf.com -S --sni -C 30,14
SSL OK - Certificate 'www.linuxcnf.com' will expire in 69 days on 2019-02-22 13:49 +0530/IST.
[root@linuxcnf-client ~]#

Step 4: Restart NRPE service: Run the following command to restart NREP service:

[root@linuxcnf-client ~]# service nrpe restart
Redirecting to /bin/systemctl restart nrpe.service
[root@linuxcnf-client ~]#

Step 5: Integrate the command in Nagios server: if host details and command details are already defined for the client on Naigos server and add the below service definition in host configuration file and define host configuration

define service {
        use                           generic-service
        host_name               <Server_Hostname>
        contacts                   nagiosadmin
        service_description   www.linuxcnf.com  SSL Check
        check_command       check_nrpe!check_ssl_linuxcnf
}
  
Step 6: Pre-flight check and reload Nagios service: Run the following command to check configuration syntax check:

[root@linuxcnf-server ~]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
……
Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check
[root@linuxcnf-server ~]#

In above output, No errors are detected during the pre-flight check and can reload the nagios service:

[root@linuxcnf-server ~]# service nagios reload
Reloading nagios configuration (via systemctl):            [  OK  ]
[root@linuxcnf-server ~]#

It’s done. Now check the SSL certificate expiry status on Nagios console and Nagios also will generate alerts [warning, critical] when SSL certificates near their expiration date.

No comments:

Post a Comment