Friday, 8 March 2013

warn of SSL certificate expiry


So you have been tasked to write a cron job to warn when your site's SSL certificate(s) will soon expire and send email to the responsible person. An expired SSL certificate is at best embarrassing and at worst can cause significant business disruptionThere are various ways to do this task.

Nagios has a plugin to check and warn about imminently expiring certificates.

If you have the openssl tools installed you can do it from the command line as shown in this blog post. You should be able to parse the returned date string with the GNU date command and convert it to a number of seconds since the Unix epoch for comparison with the current date to check if expiry is imminent.

I preferred to use Perl. There is a very useful Perl module Net::SSL::ExpireDate by Masaaki Hirose which provided exactly what I wanted. The example is self-explanatory.

On a Debian system other CPAN modules are required, fortunately all of them already in Debian so you only have install those with apt-get, then build, test and install Net::SSL::ExpireDate. Here are the modules I had to install, however there may be other dependencies that were already installed on my system, so this list may not be exhaustive.

libclass-accessor-perl
libcrypt-openssl-x509-perl
libdatetime-perl
libtimedate-perl
libtime-duration-parse-perl
libuniversal-require-perl

The Perl script I wrote was 13 lines long.

No comments:

Post a Comment