监控SSL证书过期 Monitor SSL certificate expirytaoCMS-基于php+sqlite最小巧的CMS

taoCMS是基于php+sqlite/mysql的国内最小（100Kb左右）的功能完善的CMS管理系统

首页

技术文章

taoCMS发布

taoCMS模板

taoCMS模块

«tcpdump抓包dns请求报错bad udp cksum的解决办法

网易视频云技术之视频预处理技术 »

监控SSL证书过期 Monitor SSL certificate expiry

2016-12-12

前几天有个老的证书过期，被BOSS狠狠的D了一顿。虽亡羊补牢，仍为时不晚。
之前是用Nagios插件check_http干这样的事情，现在公司用的zabbix。所以网上学习了一把，和大家分享下；特别是Zabbix的那段代码写的贼好，一定要赏析。

Nagios：
p1–command–
./libexec/check_http --ssl -I xx.xx.xx.xx -H i.host.com -p 443 -u / -C 30 #（过期时间小于30天告警） --ssl, Connect via SSL -H, --IP-address=ADDRESS -I, --IP-address=ADDRESS -u --url=PATH -c, --critical=DOUBLE

p2–checkcommands.cfg –

# Service : 'check_https_cert' define command { command_name check_https_cert command_line $USER1$/check_http --ssl -I $ARG1$ -H $ARG2$ -u $ARG3$ -C 30 }

p3–services.cfg–
# Service : 'SSL Certificate' define service { use not-so-critical-service host_name i1.host service_description Mon SSL Cert contact_groups dc-c1 check_command check_https_cert!xx.xx.xx.xx!i.host.com!/ }

Zabbix:

SSL certificate check
Description

This extension monitors the number of remaining days of validity of an SSL certificate.
It includes a template with:

one item
SSL certificate validity: number of remaining days
six triggers
SSL certificate expires in less than 90 days: Not classified severity level
SSL certificate expires in less than 60 days: Information severity level
SSL certificate expires in less than 30 days: Warning severity level
SSL certificate expires in less than 15 days: Average severity level
SSL certificate expires in less than 7 days: High severity level
SSL certificate expired: Disaster severity level
one macro
{$SSL_PORT}: service port number (set to 443 in template)

zext_ssl_cert.sh external script is used by «SSL certificate validity» item.
Installation
Zabbix server

zext_ssl_cert.sh (latest version) must be installed in Zabbix external scripts directory (/etc/zabbix/externalscripts by default).

Template_zext_ssl_cert.xml template (latest version) must be imported in Zabbix host templates.
Configuration

Linking Template_zext_ssl_cert to an host adds HTTPS (port 443) SSL certificate check.
If it is used to check a service other than HTTPS, {$SSL_PORT} has to be defined to corresponding port in host configuration.

–解读下shell脚本这段–

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#! /bin/sh
 
host=$1
port=$2
end_date=`openssl s_client -host $host -port $port -showcerts </dev/null 2>/dev/null |
          sed -n '/BEGIN CERTIFICATE/,/END CERT/p' |
      openssl x509 -text 2>/dev/null |
      sed -n 's/ *Not After : *//p'`
# openssl 检验和验证SSL证书。
# </dev/null 定向标准输入，防止交互式程序Hang。从/dev/null 读时，直接读出0 。
# sed -n 和p 一起使用，仅显示匹配到的部分。 //,// 区间匹配。
# openssl x509 -text 解码证书信息，包含证书的有效期。
 
if [ -n "$end_date" ]
then
    end_date_seconds=`date '+%s' --date "$end_date"`
# date指令format字符串时间。
    now_seconds=`date '+%s'`
    echo "($end_date_seconds-$now_seconds)/24/3600" | bc
fi