Monitoring SSL Certificate expiry.

Started by Darren Leggett, June 20, 2018, 04:14:08 PM

Previous topic - Next topic

Darren Leggett

Is there any way using NetXMS to monitor how long an SSL certificate has before it will expire?

Victor Kirhenshtein

Hi,

where this certificate is located? If it is web site certificate or file on file system you can use openssl command line tool to extract it (and run it as ExternalParameter in NetXMS agent). For example, the following external parameter will extract certificate validity date for given web site:


ExternalParameterShellExec = HTTPS.CertificateExpireDate(*):echo | openssl s_client -showcerts -servername netxms.org -connect netxms.org:443 2>/dev/null | openssl x509 -inform pem -noout -enddate | cut -d = -f 2


Requesting it as

HTTPS.CertificateExpireDate(netxms.org)

will return

Sep  2 21:57:24 2018 GMT

Then you can use NXSL transformation script to convert it to UNIX timestamp:


if ($1 match "^\\s*([A-Za-z]+)\\s+([0-9]+)\s+([0-9]+):([0-9]+):([0-9]+)\s+([0-9]+)")
{
   t = new TIME();
   t->year = $6;
   t->mon = MonthFromName($1);
   t->mday = $2;
   t->hour = $3;
   t->min = $4;
   t->sec = $5;
   t->isdst = -1;
   return mktime(t);
}
else
{
   return 0; // error
}

sub MonthFromName(name)
{
   m = 0;
   for(n : %("Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"))
   {
      if (n == name)
         return m;
      m++;
   }
   return 0;  // error
}


Alternatively you can use


   return mktime(t) - time();


to get number of seconds till certificate expiration.

Best regards,
Victor

Tursiops

Hi,

On Windows you can use PowerShell to parse the local certificate store to generate a list of certificates. Something like the below should give you a list of certificates in your local computer store and only return the most recent one for certificates with the same subject and issuer, so you don't alert if you leave old certificates on your system beyond expiry.
Get-Childitem -Path Cert:LocalMachine\My -recurse|?{$_.Subject -match "CN=.*\..*"}|Group-Object -Property Subject,Issuer|%{ $_.Group | Sort-Object -Property NotAfter -Descending | Select -First 1}
You can use the output of the above to filter for only the type of certs you care about (e.g. you could remove certificates that were signed by a local CA or similar).
Once you have that list, you can use instance discovery to go through those certificates and pull the expiration date. Just be aware that you'll be getting the expiration date in US format, i.e. MM/DD/YYYY. There's probably a way around that, but my PowerShell is limited :).
Using a transform script, you should be able to check on age and alert for example if it's due to expire soon or if it has already expired. Sry, don't have example code for that part.

Or are you after "Connect to website via https and tell me when the certificate expires", in which case you could probably use Nagios' check_http for that (you can configure and call that as an ExternalParameter on your NetXMS server). Again, we're not doing that, so don't have an example config.

Cheers

Darren Leggett

Thanks for your responses.  I've tried using the OpenSSL suggestion from Victor but my NetXMS server is running on Windows.  When I tried to run s_client command it runs but does not exit for about a minute.  Any ideas how I can avoid this long delay?

hsvt

Quote from: Darren Leggett on June 22, 2018, 03:51:30 PM
Thanks for your responses.  I've tried using the OpenSSL suggestion from Victor but my NetXMS server is running on Windows.  When I tried to run s_client command it runs but does not exit for about a minute.  Any ideas how I can avoid this long delay?

echo | openssl s_client -showcerts -servername netxms.org -connect netxms.org:443 2>/dev/null | openssl x509 -noout -enddate | cut -d = -f 2