Raymii.org
Quis custodiet ipsos custodes?Home | About | All pages | Cluster Status | RSS Feed
Nagios plugin to check CRL expiry in minutes
Published: 02-05-2013 | Author: Remy van Elst | Text only version of this article
❗ This post is over eleven years old. It may no longer be up to date. Opinions may have changed.
Table of Contents
This is a nagios plugin which you can use to check if a CRL (Certificate Revocation List, public list with revoked certificates) is still valid. This is based on the check_crl.py plugin from Michele Baldessari. It is modified it so that it checks the time in minutes (for more precision) instead of days, it has a GMT time comparison bug fixed and I've added error handling so that if the plugin cannot get a crl file (because the webserver is down) it gives a Critical error in nagios.
Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below. It means the world to me if you show your appreciation and you'll help pay the server costs:
GitHub Sponsorship
PCBWay referral link (You get $5, I get $20 after you've placed an order)
Digital Ocea referral link ($200 credit for 60 days. Spend $25 after your credit expires and I'll get $25!)
Download
Download the plugin from my github
Download the plugin from raymii.org
Install and Usage
This guide covers the steps needed for Ubuntu 10.04/12.04 and Debian 6. It should also work on other distro's, but make sure to modify the commands where needed.
Make sure you have openssl, python3 and a module needed by the script installed on the nagios host:
apt-get install python3 openssl python-m2crypto
Now place the script on the host. I've placed in /etc/nagios/plugins/check crl.py_.
wget -O /etc/nagios/plugins/check_crl.py http://raymii.org/s/inc/downloads/check_crl.py
Make sure the script is executable:
chmod +x /etc/nagios/plugins/check_crl.py
Now test the script. I'm using the URL of the Comodo CA CRL file which is the CA that signed my certificate for raymii.org.
/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 480 -c 360
OK CRL Expires in 5109 minutes (on Thu May 9 07:30:32 2013 GMT)
/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5200 -c 360
WARNING CRL Expires in 5108 minutes (on Thu May 9 07:30:32 2013 GMT)
/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5000 -c 5300
CRITICAL CRL Expires in 5108 minutes (on Thu May 9 07:30:32 2013 GMT)
Lets add the nagios command:
define command{
command_name crl_check
command_line /etc/nagios-plugins/check_crl.py -u $ARG1$ -w $ARG2$ -c $ARG3$
}
And lets add the command to a service check:
define service {
use generic-service
host_name localhost
service_description Comodo PositiveSSL CA2 CRL
contact nagiosadmin
check_command crl_check!http://crl.comodoca.com/PositiveSSLCA2.crl!24!12
}
The above service check runs on the nagios defined host "localhost", uses the (default) service template "generic-service" and had the contact "nagiosadmin". As you can see, the URL maps to $ARG1$, the warning hours to $ARG2$ and the critical hours to $ARG3$. This means that if the field "Next Update:" is less then 8 hours in the future you get a warning and if it is less then 6 hours you get a critical.
Changelog
03-04-2013: - Changed time to minutes for more precision - Fixed timezone bug by comparing GMT with GMT
06-11-2012: - Changed checking interval from dates to hours - Added error catching if a crl file cannot be retrieved.
Tags: certificates , crl , monitoring , nagios , openssl , revoke , software , ssl