Skip to main content

Raymii.org Logo (IEC resistor symbol)logo

Quis custodiet ipsos custodes?
Home | About | All pages | RSS Feed | Gopher

Nagios plugin to check CRL expiry in minutes

Published: 02-05-2013 | Author: Remy van Elst | Text only version of this article


Table of Contents


This is a nagios plugin which you can use to check if a CRL (CertificateRevocation List, public list with revoked certificates) is still valid. This isbased on the check_crl.py plugin from Michele Baldessari. It is modified itso that it checks the time in minutes (for more precision) instead of days, ithas a GMT time comparison bug fixed and I've added error handling so that if theplugin cannot get a crl file (because the webserver is down) it gives a Criticalerror in nagios.

If you like this article, consider sponsoring me by trying out a Digital OceanVPS. With this link you'll get $100 credit for 60 days). (referral link)

Download

Download the plugin from my github
Download the plugin from raymii.org

Install and Usage

This guide covers the steps needed for Ubuntu 10.04/12.04 and Debian 6. Itshould also work on other distro's, but make sure to modify the commands whereneeded.

Make sure you have openssl, python3 and a module needed by the script installedon the nagios host:

apt-get install python3 openssl python-m2crypto

Now place the script on the host. I've placed in /etc/nagios/plugins/checkcrl.py_.

wget -O /etc/nagios/plugins/check_crl.py http://raymii.org/s/inc/downloads/check_crl.py

Make sure the script is executable:

chmod +x /etc/nagios/plugins/check_crl.py

Now test the script. I'm using the URL of the Comodo CA CRL file which is the CAthat signed my certificate for raymii.org.

/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 480 -c 360OK CRL Expires in 5109 minutes (on Thu May  9 07:30:32 2013 GMT)/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5200 -c 360WARNING CRL Expires in 5108 minutes (on Thu May  9 07:30:32 2013 GMT)/etc/nagios/plugins/check_crl.py -u http://crl.comodoca.com/PositiveSSLCA2.crl -w 5000 -c 5300CRITICAL CRL Expires in 5108 minutes (on Thu May  9 07:30:32 2013 GMT)

Lets add the nagios command:

define command{    command_name    crl_check    command_line    /etc/nagios-plugins/check_crl.py -u $ARG1$ -w $ARG2$ -c $ARG3$}

And lets add the command to a service check:

define service {        use                             generic-service        host_name                       localhost        service_description             Comodo PositiveSSL CA2 CRL        contact                         nagiosadmin                         check_command                   crl_check!http://crl.comodoca.com/PositiveSSLCA2.crl!24!12}

The above service check runs on the nagios defined host "localhost", uses the(default) service template "generic-service" and had the contact "nagiosadmin".As you can see, the URL maps to $ARG1$, the warning hours to $ARG2$ and thecritical hours to $ARG3$. This means that if the field "Next Update:" is lessthen 8 hours in the future you get a warning and if it is less then 6 hours youget a critical.

Changelog

03-04-2013: - Changed time to minutes for more precision - Fixed timezone bug bycomparing GMT with GMT

06-11-2012: - Changed checking interval from dates to hours - Added errorcatching if a crl file cannot be retrieved.

Tags: certificates, crl, monitoring, nagios, openssl, revoke, software, ssl