NetXMS Support Forum

English Support => General Support => Topic started by: Darren Leggett on June 20, 2018, 04:14:08 PM

Title: Monitoring SSL Certificate expiry.
Post by: Darren Leggett on June 20, 2018, 04:14:08 PM
Is there any way using NetXMS to monitor how long an SSL certificate has before it will expire?
Title: Re: Monitoring SSL Certificate expiry.
Post by: Victor Kirhenshtein on June 20, 2018, 04:51:59 PM
Hi,

where this certificate is located? If it is web site certificate or file on file system you can use openssl command line tool to extract it (and run it as ExternalParameter in NetXMS agent). For example, the following external parameter will extract certificate validity date for given web site:


ExternalParameterShellExec = HTTPS.CertificateExpireDate(*):echo | openssl s_client -showcerts -servername netxms.org -connect netxms.org:443 2>/dev/null | openssl x509 -inform pem -noout -enddate | cut -d = -f 2


Requesting it as

HTTPS.CertificateExpireDate(netxms.org)

will return

Sep  2 21:57:24 2018 GMT

Then you can use NXSL transformation script to convert it to UNIX timestamp:


if ($1 match "^\\s*([A-Za-z]+)\\s+([0-9]+)\s+([0-9]+):([0-9]+):([0-9]+)\s+([0-9]+)")
{
   t = new TIME();
   t->year = $6;
   t->mon = MonthFromName($1);
   t->mday = $2;
   t->hour = $3;
   t->min = $4;
   t->sec = $5;
   t->isdst = -1;
   return mktime(t);
}
else
{
   return 0; // error
}

sub MonthFromName(name)
{
   m = 0;
   for(n : %("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"))
   {
      if (n == name)
         return m;
      m++;
   }
   return 0;  // error
}


Alternatively you can use


   return mktime(t) - time();


to get number of seconds till certificate expiration.

Best regards,
Victor
Title: Re: Monitoring SSL Certificate expiry.
Post by: Tursiops on June 21, 2018, 03:17:00 AM
Hi,

On Windows you can use PowerShell to parse the local certificate store to generate a list of certificates. Something like the below should give you a list of certificates in your local computer store and only return the most recent one for certificates with the same subject and issuer, so you don't alert if you leave old certificates on your system beyond expiry.
Get-Childitem -Path Cert:LocalMachine\My -recurse|?{$_.Subject -match "CN=.*\..*"}|Group-Object -Property Subject,Issuer|%{ $_.Group | Sort-Object -Property NotAfter -Descending | Select -First 1}
You can use the output of the above to filter for only the type of certs you care about (e.g. you could remove certificates that were signed by a local CA or similar).
Once you have that list, you can use instance discovery to go through those certificates and pull the expiration date. Just be aware that you'll be getting the expiration date in US format, i.e. MM/DD/YYYY. There's probably a way around that, but my PowerShell is limited :).
Using a transform script, you should be able to check on age and alert for example if it's due to expire soon or if it has already expired. Sry, don't have example code for that part.

Or are you after "Connect to website via https and tell me when the certificate expires", in which case you could probably use Nagios' check_http for that (you can configure and call that as an ExternalParameter on your NetXMS server). Again, we're not doing that, so don't have an example config.

Cheers
Title: Re: Monitoring SSL Certificate expiry.
Post by: Darren Leggett on June 22, 2018, 03:51:30 PM
Thanks for your responses.  I've tried using the OpenSSL suggestion from Victor but my NetXMS server is running on Windows.  When I tried to run s_client command it runs but does not exit for about a minute.  Any ideas how I can avoid this long delay?
Title: Re: Monitoring SSL Certificate expiry.
Post by: hsvt on June 04, 2021, 12:18:20 PM
Quote from: Darren Leggett on June 22, 2018, 03:51:30 PM
Thanks for your responses.  I've tried using the OpenSSL suggestion from Victor but my NetXMS server is running on Windows.  When I tried to run s_client command it runs but does not exit for about a minute.  Any ideas how I can avoid this long delay?

echo | openssl s_client -showcerts -servername netxms.org -connect netxms.org:443 2>/dev/null | openssl x509 -noout -enddate | cut -d = -f 2