Skip to main content

Raymii.org Logo (IEC resistor symbol) logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Nagios plugin to check CRL expiry in minutes

Published: 02-05-2013 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a nagios plugin which you can use to check if a CRL (Certificate Revocation List, public list with revoked certificates) is still valid. This is based on the check_crl.py plugin from Michele Baldessari. It is modified it so that it checks the time in minutes (for more precision) instead of days, it has a GMT time comparison bug fixed and I've added error handling so that if the plugin cannot get a crl file (because the webserver is down) it gives a Critical error in nagios.

If you like this article, consider sponsoring me by trying out a Digital Ocean VPS. With this link you'll get $100 credit for 60 days). (referral link)

Download

Download the plugin from my github
Download the plugin from raymii.org

Install and Usage

This guide covers the steps needed for Ubuntu 10.04/12.04 and Debian 6. It should also work on other distro's, but make sure to modify the commands where needed.

Make sure you have openssl, python3 and a module needed by the script installed on the nagios host:

apt-get install python3 openssl python-m2crypto

Now place the script on the host. I've placed in /etc/nagios/plugins/check crl.py_.

wget -O /etc/nagios/plugins/check_crl.py http://raymii.org/s/inc/downloads/check_crl.py

Make sure the script is executable:

chmod +x /etc/nagios/plugins/check_crl.py

Now test the script. I'm using the URL of the Comodo CA CRL file which is the CA that signed my certificate for raymii.org.

/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 480 -c 360
OK CRL Expires in 5109 minutes (on Thu May  9 07:30:32 2013 GMT)

/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5200 -c 360
WARNING CRL Expires in 5108 minutes (on Thu May  9 07:30:32 2013 GMT)

/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5000 -c 5300
CRITICAL CRL Expires in 5108 minutes (on Thu May  9 07:30:32 2013 GMT)

Lets add the nagios command:

define command{
    command_name    crl_check
    command_line    /etc/nagios-plugins/check_crl.py -u $ARG1$ -w $ARG2$ -c $ARG3$
}

And lets add the command to a service check:

define service {
        use                             generic-service
        host_name                       localhost
        service_description             Comodo PositiveSSL CA2 CRL
        contact                         nagiosadmin                 
        check_command                   crl_check!http://crl.comodoca.com/PositiveSSLCA2.crl!24!12
}

The above service check runs on the nagios defined host "localhost", uses the (default) service template "generic-service" and had the contact "nagiosadmin". As you can see, the URL maps to $ARG1$, the warning hours to $ARG2$ and the critical hours to $ARG3$. This means that if the field "Next Update:" is less then 8 hours in the future you get a warning and if it is less then 6 hours you get a critical.

Changelog

03-04-2013: - Changed time to minutes for more precision - Fixed timezone bug by comparing GMT with GMT

06-11-2012: - Changed checking interval from dates to hours - Added error catching if a crl file cannot be retrieved.

Tags: certificates , crl , monitoring , nagios , openssl , revoke , software , ssl