The guys at prefetch.net already wrote a script for checking if a SSL certificate is still valid: http://prefetch.net/code/ssl-cert-check
The only challenge now is to implement the script into the monitoring tool Nagios, in this case we used a SuSE Linux Enterprise Server 11 and Nagios version 3.0.6.
To get the little boxes in Nagios green, yellow and red(=Nagios‘ return values) and to receive e-mails in case of an expiration you have to change these 2 parameters in the ssl-cert-check file:
NAGIOS=TRUE ALARM=TRUE
To match the given form of Nagios plugins we renamed the file to check_ssl-cert and then moved it to /usr/lib/nagios/plugins, where the rest of the plugins are.
For Nagios to recognize the plugin it has to be defined in /etc/nagios/objects/commands.cfg (NOT /etc/nagios/commands.cfg):
define command { command_name check_ssl-cert command_line /usr/lib/nagios/plugins/check_ssl-cert -s $HOSTADDRESS$ -p 443 -e $ARG1$ }
The port is usually the same for the same service. If it’s not port 443 for every server, you can also define the port as the second parameter in the next step. Of course, instead of -p 443 it has to be -p $ARG2$.
You now have to add the configuration of the plugin in /etc/nagios/conf.d/services.cfg. In this case, the hostgroup „all“ is selected, but if you have different hostgroups, the admin who has to get the e-mail might be different. The parameters go after the exclamation mark, comments begin with the semicolon.
define service { hostgroup_name all service_description ssl-certs check_command check_ssl-cert!mail@example.org use generic-service notification_interval 0 ; set > 0 if you want to be renotified }
If an ssl-cert is expired, it looks like this:
Credits go to the Alex and the other guys at the CentOS mailing list: