Shawn_Walsh

Tuesday Tip: Monitoring Server Certificate Expiration with the Logmon Probe

Discussion created by Shawn_Walsh Employee on Sep 12, 2017
Latest reply on Feb 8, 2018 by Greenones

Good day everyone, I thought this tip might help some of you.  

Using the logmon probe and a shell script, you can alarm on server certificate expiration if it is coming up soon.

This example uses:

UIM 8.5.1

logmon probe version 3.90 on a Linux robot.

 

1- Shell script to check server certificate expiration

First, create a shell script to check the server certificates.  Here is a SAMPLE script I am offering.  You will need to customize it to suit your needs. Pay attention to the variables: "servers_to_check"  and "warn_exp_days".

Modify these as appropriate for your needs.

 

#!/bin/sh

# Sample script to check for cert expirations offered by CA Support
# with no guarantees or maintenance.

DEBUG=true
# Number of days to warn about soon-to-expire certs
warn_exp_days=90
servers_to_check='google.com:443
yahoo.com:443
ca.com:443'

for CERT in $servers_to_check
do
$DEBUG && echo "Checking cert: [$CERT]"

output=$(echo | openssl s_client -connect ${CERT} 2>/dev/null |\
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |\
openssl x509 -noout -subject -dates 2>/dev/null)

if [ "$?" -ne 0 ]; then
$DEBUG && echo "Error connecting to host for cert [$CERT]"
logger -p local6.warn "Error connecting to host for cert [$CERT]"
continue
fi

start_dt=$(echo $output | sed 's/.*notBefore=\(.*\).*not.*/\1/g')
end_dt=$(echo $output | sed 's/.*notAfter=\(.*\)$/\1/g')

start_epoch=$(date +%s -d "$start_dt")
end_epoch=$(date +%s -d "$end_dt")

epochNow=$(date +%s)

if [ "$start_epoch" -gt "$epochNow" ]; then
$DEBUG && echo "Certificate for [$CERT] is not yet valid"
logger -p local6.warn "Certificate for $CERT is not yet valid"
fi

secs_to_exp=$(($end_epoch - $epochNow))
days_to_exp=$(($secs_to_exp / 86400))

$DEBUG && echo "Days to expiry: ($days_to_exp)"

warn_secs=$((86400 * $warn_exp_days))

if [ "$secs_to_exp" -lt "$warn_secs" ]; then
$DEBUG && echo "Cert [$CERT] is soon to expire ($secs_to_exp seconds)"
logger -p local6.warn "cert [$CERT] is soon to expire ($secs_to_exp seconds)"
fi
done

Save the script and make it executable.  chmod 755 test.sh

Note the path to the script.  In this example:  /opt/nimsoft/sample/scripts/test.sh

 

2- Deploy the logmon probe to the same Linux robot.

Using the IM console, create a new profile for the logmon probe.
The "mode" for the profile should be "command".
The command should be the shell script above.

Check off "generate alarm" on the "General" tab.

Set it to run every 24 or 48 hours.

 

3- Navigate to the Watcher Rules tab. 

use a Matcher Rule like the following:
Match Expression:
Cert \[[a-z|.|]*:[0-9]*\] is soon to expire \([0-9]* seconds\)

Message to Send on Match:
Cert Expiration Soon: ${scriptMessage}

4- Create a variable for the script message.

On the Variables tab, create a new variable called: "scriptMessage" 

with "text block" checked.

Save and restart the probe.
You should now see alarms for any server certificate that is due to expire in 90 days.
I would advise running the script manually a few times to make sure it works in your environment.

Outcomes