前几天有个老的证书过期,被BOSS狠狠的D了一顿。虽亡羊补牢,仍为时不晚。
之前是用Nagios插件check_http干这样的事情,现在公司用的zabbix。所以网上学习了一把,和大家分享下;特别是Zabbix的那段代码写的贼好,一定要赏析。
Nagios:
p1–command–
./libexec/check_http --ssl -I xx.xx.xx.xx -H i.host.com -p 443 -u / -C 30 #(过期时间小于30天告警)
--ssl, Connect via SSL
-H, --IP-address=ADDRESS
-I, --IP-address=ADDRESS
-u --url=PATH
-c, --critical=DOUBLE
p2–checkcommands.cfg –
# Service : 'check_https_cert'
define command {
command_name check_https_cert
command_line $USER1$/check_http --ssl -I $ARG1$ -H $ARG2$ -u $ARG3$ -C 30
}
p3–services.cfg–
# Service : 'SSL Certificate'
define service {
use not-so-critical-service
host_name i1.host
service_description Mon SSL Cert
contact_groups dc-c1
check_command check_https_cert!xx.xx.xx.xx!i.host.com!/
}
Zabbix:
SSL certificate check
Description
This extension monitors the number of remaining days of validity of an SSL certificate.
It includes a template with:
one item
SSL certificate validity: number of remaining days
six triggers
SSL certificate expires in less than 90 days: Not classified severity level
SSL certificate expires in less than 60 days: Information severity level
SSL certificate expires in less than 30 days: Warning severity level
SSL certificate expires in less than 15 days: Average severity level
SSL certificate expires in less than 7 days: High severity level
SSL certificate expired: Disaster severity level
one macro
{$SSL_PORT}: service port number (set to 443 in template)
zext_ssl_cert.sh external script is used by «SSL certificate validity» item.
Installation
Zabbix server
zext_ssl_cert.sh (latest version) must be installed in Zabbix external scripts directory (/etc/zabbix/externalscripts by default).
Template_zext_ssl_cert.xml template (latest version) must be imported in Zabbix host templates.
Configuration
Linking Template_zext_ssl_cert to an host adds HTTPS (port 443) SSL certificate check.
If it is used to check a service other than HTTPS, {$SSL_PORT} has to be defined to corresponding port in host configuration.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
#! /bin/sh host=$1 port=$2 end_date=`openssl s_client -host $host -port $port -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p'` # openssl 检验和验证SSL证书。 # </dev/null 定向标准输入,防止交互式程序Hang。从/dev/null 读时,直接读出0 。 # sed -n 和p 一起使用,仅显示匹配到的部分。 //,// 区间匹配。 # openssl x509 -text 解码证书信息,包含证书的有效期。 if [ -n "$end_date" ] then end_date_seconds=`date '+%s' --date "$end_date"` # date指令format字符串时间。 now_seconds=`date '+%s'` echo "($end_date_seconds-$now_seconds)/24/3600" | bc fi |
漂亮。
2 Comments
这个很容易忽视,但是相当重要啊 :)
有两个小地方可以改进下。
echo “HOST: test.com /r/n GET / HTTP/1.1″|openssl s_client -connect test.com:443 这样可以增加速度 因为 openssl s_client 只负责链接 后面是请求内容如果不输入的话就是等待超时。时间会很长。
增加一个参数 -servername 可一直开启 TLS SNI support ,可以检测一个ip 多个证书的情况。