Saturday, 8 June 2019

How to monitory SSL Certificate expiry With Nagios



Nagios plugin “check_http” provides SSL Certificate monitoring to check certificates expiration dates and Nagios generate alerts when SSL certificates near their expiration date. So the same can renew their certificates before problems occur.
Most of the Nagios plugins are available in EPEL repository (Extra Packages for Enterprise Linux) for Cent OS 7 and RHEL.

Nagios Server: Centos/RHEL 6 (Compiled Nagios core installed)
Nagios client OS: Centos/ RHEL 7 (NRPE agent installed by Yum)

Step 1: Setup EPEL repository and install “check_http” Nagios plugin: Follow tutorial How to install EPEL repository on Centos7 and Run the following command to install the check_http nagios plugin if already not installed.


[root@linuxcnf-client ~]# yum install nagios-plugins-http
Loaded plugins: changelog, fastestmirror
……
Installed:
  nagios-plugins-http.x86_64 0:2.2.1-9git5c7eb5b9.el7

Complete!
[root@linuxcnf-client ~]#

Step 2: Configure NRPE: add the below line in NRPE configuration file in nagios and change the site name with your SSL configured site:

[root@linuxcnf-client ~]# vi /etc/nagios/nrpe.cfg
……
command[check_ssl_linuxcnf]=/usr/lib64/nagios/plugins/check_http -H www.linuxcnf.com -S --sni -C 30,14
[root@linuxcnf-client ~]#

Step 3: Run the following command to verify the command working status:

[root@linuxcnf-client ~]# /usr/lib64/nagios/plugins/check_http -H www.linuxcnf.com -S --sni -C 30,14
SSL OK - Certificate 'www.linuxcnf.com' will expire in 72 days on 2019-08-20 16:43 +0530/IST.
[root@linuxcnf-client ~]#

Step 4: Restart NRPE service: Run the following command to restart NREP service:

[root@linuxcnf-client ~]# service nrpe restart
Redirecting to /bin/systemctl restart nrpe.service
[root@linuxcnf-client ~]#

Step 5: Integrate the command in Nagios server: Add the below service definition in host configuration file and define host configuration(Assuming that server already integrated in Nagios server and the command check command defined.).

define service {
        use                        generic-service
        host_name               <Server_Hostname>
        contacts                  nagiosadmin
        service_description     www.linuxcnf.com  SSL Check
        check_command        check_nrpe!check_ssl_linuxcnf
}
  
Step 6: Pre-flight check and reload Nagios service: Run the following command to check configuration syntax check:

[root@linuxcnf-server ~]# /usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg
……
Total Warnings: 0
Total Errors:   0

Things look okay - No serious problems were detected during the pre-flight check
[root@linuxcnf-server ~]#

In above output, No errors are detected during the pre-flight check and can reload the nagios service:

[root@linuxcnf-server ~]# service nagios reload
Reloading nagios configuration (via systemctl):            [  OK  ]
[root@linuxcnf-server ~]#

It’s done. Now check the SSL certificate expiry status on Nagios console and Nagios also will generate alerts [warning, critical] when SSL certificates near their expiration date.

No comments:

Post a Comment