SSL certificate expiration date for a site or domain
Posted by danielJan 4
When will the SSL certificate for a site expire or in how many days will an SSL certificate expire?
If you are a system administrator, at least once in your career you might have worked with managing SSL certificates as well as making sure that SSL certificates are renewed before they expire. I have seen Linux admins using Nagios to monitor SSL certificates and get notified a few days before expiry and in some cases admins setup a cron job which polls the sites to be monitored and send out an email if any of the certs for a site are going to expire soon.
Googling for information on how to check SSL certificate expiration for a site might return results like this one on openssl s_client.
My favorite tool for getting certificate expiry is the Nagios plugin utility – check_http. The check_http script displays the exact date/time the SSL certificate for a given site expires as well as how many days are left before expiry.
Installation –
apt-get install nagios-plugins yum install nagios-plugins-all
In my system, the plugins were installed under /usr/lib/nagios/plugins directory –
root@linubuvma:/usr/lib/nagios/plugins# cat /etc/issue Ubuntu 14.04.5 LTS \n \l root@linubuvma:/usr/lib/nagios/plugins# pwd /usr/lib/nagios/plugins root@linubuvma:/usr/lib/nagios/plugins# ls check_apt check_dbi check_dns check_host check_ifoperstatus check_ldap check_mrtg check_nntp check_ntp_time check_ping check_rta_multi check_spop check_time negate check_breeze check_dhcp check_dummy check_hpjd check_ifstatus check_ldaps check_mrtgtraf check_nntps check_nwstat check_pop check_sensors check_ssh check_udp urlize check_by_ssh check_dig check_file_age check_http check_imap check_load check_mysql check_nt check_oracle check_procs check_simap check_ssmtp check_ups utils.pm check_clamd check_disk check_flexlm check_icmp check_ircd check_log check_mysql_query check_ntp check_overcr check_real check_smtp check_swap check_users utils.sh check_cluster check_disk_smb check_ftp check_ide_smart check_jabber check_mailq check_nagios check_ntp_peer check_pgsql check_rpc check_snmp check_tcp check_wave
How to get the expiry information?
The -C option of check_http is what we are looking for. The help page for check_http explains the -C option as below –
-C, --certificate=INTEGER
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)
Let us test it if any of the sites below have certificates which expire in the coming 30 days –
root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H yahoo.com -C 30 OK - Certificate 'www.yahoo.com' will expire on 10/30/2017 23:59. root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H gmail.com -C 30 OK - Certificate 'mail.google.com' will expire on 03/09/2017 13:34. root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H linuxfreelancer.com -C 30 OK - Certificate 'linuxfreelancer.com' will expire on 08/12/2017 03:01.
In order for check_http to show us how many days are left before the SSL certificate expires, we give it a much longer number of days (-C) –
root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H yahoo.com -C 1000 WARNING - Certificate 'www.yahoo.com' expires in 298 day(s) (10/30/2017 23:59). root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H gmail.com -C 1000 WARNING - Certificate 'mail.google.com' expires in 63 day(s) (03/09/2017 13:34). root@linubuvma:/usr/lib/nagios/plugins# ./check_http -t 60 -H linuxfreelancer.com -C 1000 WARNING - Certificate 'linuxfreelancer.com' expires in 219 day(s) (08/12/2017 03:01).
If the output doesn’t show the number of days left or the status is ‘OK’, keep on increasing the number of days. The ‘-t’ option is the connection timeout in seconds. In addition to running it interactively, check_http is very useful for scripting as well as automated monitoring.
No comments
You must be logged in to post a comment.