A common task among system administrators is the renewal of SSL certificates. It is important to keep track of expiration dates so that it is not too late for us to renew it.

You can simply create an excel or some other type of record of the certificate dates, but you have to remember to check it from time to time. That’s why I find very useful to add a monitoring of the expiration dates of SSL certificates (in my case in Icinga) to be able to stop worrying and because the alert will raise automatically when the time comes.

Check plugin (check_http)

Icinga (like Nagios) comes with the plugin check_http, which besides checking if the HTTP service is up on a host, it can also check the expiration date of the SSL certificate.

In the examples I will use the certificate from www.google.com. If we search manually the date in the browser, we see that at this moment the expiration date is November 20, 2018:

Icinga - Monitor SSL certificate expiration date

With the check plugin we could do it this way:

# /usr/lib/nagios/plugins/check_http -H www.google.com -C 30,15

-H  host/domain to be checked and with
-C  limit of days left to be considered warning alert (30 days) and critical (15 days).

This is how we launch the plugin by hand. Let’s configure it so that the Icinga runs it automatically and so we can see it in the Icinga panel and receive the configured notifications.

Configure CheckCommand

Edit the custom. conf file with your favorite editor to add the configuration block.

/usr/share/icinga2/include/plugins-contrib.d/custom.conf

object CheckCommand "check_ssl_cert" {
  command = [ PluginContribDir + "/check_http"]

  arguments = {
    "-H" = {
      value = "$DOMAIN$"
    }
    "-C" = {
      value = "$WARNING$,$CRITICAL$"
    }
  }
  vars.DOMAIN = "$DOMAIN$"
  vars.WARNING = "$WARNING$"
  vars.CRITICAL = "$CRITICAL$"
}

I decided to name the CheckCommand “check_ssl_cert”, but you can put any name you want. Remember that this is the one we will use in the services.conf file as shown below.

Configure template Service 1day

This is optional, but I created a service template for the checkup to be run once a day. After all, to check a date it is not logical to do it every minute, for example.

And also to make it set the HARD status after the first failed check.

Visit this link for more details on the options you can configure:
Icinga2 – Understanding checks and notification types

/etc/icinga2/conf.d/templates.conf

template Service "active-service-HARD-1day" {
  import "generic-service"

  enable_active_checks = true
  enable_passive_checks = false
  
  max_check_attempts = 1
  check_interval = 1d
}

Configure Service

Finally, configure the service with the check_command previously created and including the check parameters (the DOMAIN, the WARNING thresold and the CRITICAL thresold).

/etc/icinga2/conf.d/services.conf

apply Service "CERTIFICATE - www.google.com" {
  import "active-service-HARD-1day"
  check_command = "check_ssl_cert"

  vars.DOMAIN="www.google.com"
  vars.WARNING="30"
  vars.CRITICAL="15"
  assign where host.name in [ "SERVER" ]
}

Result examples

With these parameters from the example, the result it gives me right now is:

Icinga - Monitor SSL certificate expiration date

I think the 30-day and 15-day parameters are fine. But as an example, by increasing the WARNING limit to 100 days:

Icinga - Monitor SSL certificate expiration date

And after increasing the critical to 80 for example:

Icinga - Monitor SSL certificate expiration date

I hope you find it useful.
Looking forward to your comments and suggestions!