It looks like Microsoft made a rather classical beginner mistake and forgot to renew an SSL certificate, taking down quite some Azure services doing so. I will not comment on what I think of that, but here is a tip to make sure this doesn't happen to you: monitor it!
It is really easy to forget a task that only needs to be done once every few years. Staff comes and goes, or gets reassigned. Reports get forgotten and putting it on your todo list only serves to make sure it doesn't get done. So instead of trying to remember when it is time to buy a new certificate, let your monitoring system check the age of your certificate and warn you if it's time to get a new one.
If you use nagios, this is really easy to set up, the check_http plugin already has this functionality! If your webservers are all in the https hostgroup, the following service and command definition will make nagios check certificate age every two hours so this type of embarrasment doesn't happen to you:
define service {
use generic-service
hostgroup_name https,https-auth
service_description HTTPS SSL Cert Age
check_command check_cert_age!14!443
normal_check_interval 120
notification_interval 360
notification_period workhours
}
define command {
command_name check_cert_age
command_line $USER1$/check_http -S -C $ARG1$ -I $HOSTADDRESS$ -p $ARG2
}
bony row on 02/23/2013 3:06 p.m. #
Few weeks ago I have written bash script to check certificates.
#################
#!/bin/bash
# *** variable declarations ***
# Add new server by adding "server:port protocol"
server[1]="server1.company.com:443 tls1"
server[2]="server2.company.com:443 tls1"
server[3]="server1.company.com:443 ssl3"
# *** function declarations ***
function check
{
server_name=$1
server_protocol=$2
cert_date=$(openssl s_client -${server_protocol} -connect ${server_name} 2> /dev/null | openssl x509 -dates -noout 2>
/dev/null | grep "notAfter" | cut -c10- | gawk '{print $4"-"$1"-"$2}' | sed 's/Jan/1/; s/Feb/2/; s/Mar/3/; s/Apr/4/;
s/May/5/; s/Jun/6/; s/Jul/7/; s/Avg/8/; s/Sep/9/; s/Oct/10/; s/Nov/11/; s/Dec/12/;' &)
cert_year=$(echo $cert_date | gawk -F- '{print $1}')
cert_month=$(echo $cert_date | gawk -F- '{print $2}')
cert_day=$(echo $cert_date | gawk -F- '{print $3}')
cert_iso_date=$cert_year-$cert_month-$cert_day
cert_iso_date=$(date -d $cert_iso_date +%Y-%m-%d)
today=$(date '+%Y-%m-%d')
cert_diff_days=$(( ($(date -d $cert_iso_date +%s) - $(date -d $today +%s)) / 86400 ))
if [[ "$cert_diff_days" -le 14 && "$cert_diff_days" -gt 0 ]] ; then
message="&yellow "
elif [[ "$cert_diff_days" -le 0 ]] ; then
message="&red "
else
message="&green "
fi
echo $message Until $cert_iso_date on $server_name
}
# *** main ***
echo SSL certificates validity:
for ((i=1; i<=${#server[@]}; i=i+1))
do
check ${server[$i]}
done
#################
bony on 02/23/2013 3:12 p.m. #
My previous post: from "cert_date" to (but not included) "cert_year" should be in one line.
It looks like this blog just broke them into multiple lines.
mash on 02/23/2013 9:26 p.m. #
Very useful, thanks!
Marius Gedminas on 02/24/2013 12:10 p.m. #
Very useful, thanks!
Is there something similar to check for domain name expiration?
Raymii on 02/24/2013 6:38 p.m. #
Nice that you mention this, I'm using it on a lot of sites, really helps. I've also written a check for certificates on the filesystem (that are not used on a website but for other things): https://raymii.org/s/software/Nagios_check_local_certificate_files.html
Dennis Kaarsemaker on 02/24/2013 9:21 p.m. #
@Marius yes, there are plugins for that. We use the ones you can find in nagios-plugins-contrib in Debian.
Marius Gedminas on 02/25/2013 8:40 a.m. #
Ah. Shame that nagios-plugins-contrib is not in Ubuntu 12.04 (it appeared in quantal).