NetXMS Support Forum

Please login or register.

Login with username, password and session length

Author Topic: Monitoring SSL Certificate expiry.  (Read 733 times)

Darren Leggett

  • Newbie
  • *
  • Posts: 8
    • View Profile
Monitoring SSL Certificate expiry.
« on: June 20, 2018, 04:14:08 pm »

Is there any way using NetXMS to monitor how long an SSL certificate has before it will expire?
Logged

Victor Kirhenshtein

  • Lead Developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 6509
    • View Profile
Re: Monitoring SSL Certificate expiry.
« Reply #1 on: June 20, 2018, 04:51:59 pm »

Hi,

where this certificate is located? If it is web site certificate or file on file system you can use openssl command line tool to extract it (and run it as ExternalParameter in NetXMS agent). For example, the following external parameter will extract certificate validity date for given web site:

Code: [Select]
ExternalParameterShellExec = HTTPS.CertificateExpireDate(*):echo | openssl s_client -showcerts -servername netxms.org -connect netxms.org:443 2>/dev/null | openssl x509 -inform pem -noout -enddate | cut -d = -f 2

Requesting it as

HTTPS.CertificateExpireDate(netxms.org)

will return

Sep  2 21:57:24 2018 GMT

Then you can use NXSL transformation script to convert it to UNIX timestamp:

Code: [Select]
if ($1 match "^\\s*([A-Za-z]+)\\s+([0-9]+)\s+([0-9]+):([0-9]+):([0-9]+)\s+([0-9]+)")
{
   t = new TIME();
   t->year = $6;
   t->mon = MonthFromName($1);
   t->mday = $2;
   t->hour = $3;
   t->min = $4;
   t->sec = $5;
   t->isdst = -1;
   return mktime(t);
}
else
{
   return 0; // error
}

sub MonthFromName(name)
{
   m = 0;
   for(n : %("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"))
   {
      if (n == name)
         return m;
      m++;
   }
   return 0;  // error
}

Alternatively you can use

Code: [Select]
   return mktime(t) - time();

to get number of seconds till certificate expiration.

Best regards,
Victor
Logged

Tursiops

  • Sr. Member
  • ****
  • Posts: 359
    • View Profile
Re: Monitoring SSL Certificate expiry.
« Reply #2 on: June 21, 2018, 03:17:00 am »

Hi,

On Windows you can use PowerShell to parse the local certificate store to generate a list of certificates. Something like the below should give you a list of certificates in your local computer store and only return the most recent one for certificates with the same subject and issuer, so you don't alert if you leave old certificates on your system beyond expiry.
Code: [Select]
Get-Childitem -Path Cert:LocalMachine\My -recurse|?{$_.Subject -match "CN=.*\..*"}|Group-Object -Property Subject,Issuer|%{ $_.Group | Sort-Object -Property NotAfter -Descending | Select -First 1}You can use the output of the above to filter for only the type of certs you care about (e.g. you could remove certificates that were signed by a local CA or similar).
Once you have that list, you can use instance discovery to go through those certificates and pull the expiration date. Just be aware that you'll be getting the expiration date in US format, i.e. MM/DD/YYYY. There's probably a way around that, but my PowerShell is limited :).
Using a transform script, you should be able to check on age and alert for example if it's due to expire soon or if it has already expired. Sry, don't have example code for that part.

Or are you after "Connect to website via https and tell me when the certificate expires", in which case you could probably use Nagios' check_http for that (you can configure and call that as an ExternalParameter on your NetXMS server). Again, we're not doing that, so don't have an example config.

Cheers
Logged

Darren Leggett

  • Newbie
  • *
  • Posts: 8
    • View Profile
Re: Monitoring SSL Certificate expiry.
« Reply #3 on: June 22, 2018, 03:51:30 pm »

Thanks for your responses.  I've tried using the OpenSSL suggestion from Victor but my NetXMS server is running on Windows.  When I tried to run s_client command it runs but does not exit for about a minute.  Any ideas how I can avoid this long delay?
Logged