Saturday, 8 June 2019

How to monitory SSL Certificate expiry With Nagios



Nagios plugin “check_http” provides SSL Certificate monitoring to check certificates expiration dates and Nagios generate alerts when SSL certificates near their expiration date. So the same can renew their certificates before problems occur.
Most of the Nagios plugins are available in EPEL repository (Extra Packages for Enterprise Linux) for Cent OS 7 and RHEL.

Nagios Server: Centos/RHEL 6 (Compiled Nagios core installed)
Nagios client OS: Centos/ RHEL 7 (NRPE agent installed by Yum)

Step 1: Setup EPEL repository and install “check_http” Nagios plugin: Follow tutorial How to install EPEL repository on Centos7 and Run the following command to install the check_http nagios plugin if already not installed.


[root@linuxcnf-client ~]# yum install nagios-plugins-http
Loaded plugins: changelog, fastestmirror
……
Installed:
  nagios-plugins-http.x86_64 0:2.2.1-9git5c7eb5b9.el7

Complete!
[root@linuxcnf-client ~]#

Step 2: Configure NRPE: add the below line in NRPE configuration file in nagios and change the site name with your SSL configured site:

[root@linuxcnf-client ~]# vi /etc/nagios/nrpe.cfg
……
command[check_ssl_linuxcnf]=/usr/lib64/nagios/plugins/check_http -H www.linuxcnf.com -S --sni -C 30,14
[root@linuxcnf-client ~]#

Step 3: Run the following command to verify the command working status:

[root@linuxcnf-client ~]# /usr/lib64/nagios/plugins/check_http -H www.linuxcnf.com -S --sni -C 30,14
SSL OK - Certificate 'www.linuxcnf.com' will expire in 72 days on 2019-08-20 16:43 +0530/IST.
[root@linuxcnf-client ~]#

Step 4: Restart NRPE service: Run the following command to restart NREP service:

[root@linuxcnf-client ~]# service nrpe restart
Redirecting to /bin/systemctl restart nrpe.service
[root@linuxcnf-client ~]#

Step 5: Integrate the command in Nagios server: Add the below service definition in host configuration file and define host configuration(Assuming that server already integrated in Nagios server and the command check command defined.).

define service {
        use                        generic-service
        host_name               <Server_Hostname>
        contacts                  nagiosadmin
        service_description     www.linuxcnf.com  SSL Check
        check_command        check_nrpe!check_ssl_linuxcnf
}
  
Step 6: Pre-flight check and reload Nagios service: Run the following command to check configuration syntax check:

[root@linuxcnf-server ~]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
……
Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check
[root@linuxcnf-server ~]#

In above output, No errors are detected during the pre-flight check and can reload the nagios service:

[root@linuxcnf-server ~]# service nagios reload
Reloading nagios configuration (via systemctl):            [  OK  ]
[root@linuxcnf-server ~]#

It’s done. Now check the SSL certificate expiry status on Nagios console and Nagios also will generate alerts [warning, critical] when SSL certificates near their expiration date.

5 comments:

  1. You made some first rate factors there. I seemed on the internet for the difficulty and located most people will go along with together with your website. webflow developer

    ReplyDelete
  2. The subsequent time I learn a weblog, I hope that it doesnt disappoint me as much as this one. I imply, I do know it was my choice to learn, but I really thought youd have one thing interesting to say. All I hear is a bunch of whining about something that you might fix in case you werent too busy looking for attention. webflow development agency

    ReplyDelete
  3. Outstanding post, I appreciat website owners should learn a lot from this blog its real user pleasant. interface designer

    ReplyDelete
  4. It is truly a well-researched content and excellent wording. I got so engaged in this material that I couldn’t wait to read. I am impressed with your work and skill. Thanks. Domain SSL certificate for sale online

    ReplyDelete
  5. Great article mate, keep the great work, just shared this with ma friendz top development companies

    ReplyDelete