Q: is it possible to check when SSL certificate expires?
A: yes, you can use “Script or program” or “Script over SSH” monitor types to do that.
Table of contents
Several approaches are listed below. Note that they expect you can connect to the site in question via HTTPS.
1. Checking with openssl
A simple shell script can be used in Unix-like environment providing OpenSSL, including
- Cygwin
- external Linux environment (accessible via SSH)
- Windows Subsystem for Linux
The below sample Bash script can be used to verify SSL certificate expiration time
#!/bin/bash
if [[ "q$1" == "q" ]]; then
echo $0 domain
exit 0
fi
DOMAINNAME="$1"
NOTAFTER=`echo | openssl s_client -connect ${DOMAINNAME}:443 2>/dev/null | openssl x509 -noout -dates | tail -1 | cut -b 10-`
EPOCHEXP=`date -d "${NOTAFTER}" "+%s"`
EPOCHNOW=`date "+%s"`
echo `expr $EPOCHEXP - $EPOCHNOW`
Alternately, download the archive containing script: get-site-certificate-expiration.zip (443 bytes).
1.1. Using Cygwin
The below instructions assume you have placed the script file into
C:\scripts\get-site-certificate-expiration.sh
In this article, we do not explain how to install Cygwin environment. It is assumed you are using 64-bit Cygwin and default installation path (change the below paths accordingly if using a different version and/or installation path).
In the below example we check SSL certificate expiration date for domain ‘google.com’. Create “Script or program” monitor (for local host, for any other host), give it a name “google.com” (without quotes) and use the below definition:
- Mode: Run program
- Path: C:\cygwin64\bin\bash.exe
- Arguments: -c "PATH=/usr/bin; SCRIPTS=`cygpath 'C:\Scripts'`; \"${SCRIPTS}/get-site-certificate-expiration.sh\" $MonitorName"
Please pay attention we use monitor name as script parameter (by inserting $MonitorName). If you only need to check certificate expiration time for a number of sites, you can avoid creating a separate host for every monitor this way.
Monitor returns seconds remaining to the SSL certificate expiration; thus you can check whether the performance value is below 604800 seconds (7 times 86400) to get alerted, if the certificate expires in less than a week.
1.2. Run checks via SSH
If you have a Unix-like system providing reasonably up-to-date OpenSSL version, you can similarly set up the “Script or Program over SSH” monitor. Give the monitor name equal to the domain to check (in this example, ‘google.com’) and use settings like below:
- Mode: Run Script
- How to run a script: Take a script from file
- File name: C:\scripts\get-site-certificate-expiration.sh
- Arguments: $MonitorName
Note: the script assumes that OpenSSL emits the expiration date line in certain position; if it doesn’t work, check the results of command like
echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -dates | tail -1
It should return line like
notAfter=Jul 9 09:52:00 2019 GMT
If it displays something different, please consult openssl manual for possible changes in output data.
2. Check with .NET using PowerShell
The PS script can be downloaded from get-site-certificate-expiration-ps1.zip (759 bytes).
If you place it into a folder different from C:\Scripts, change the below settings accordingly.
Similarly, the below example checks certificate age for domain ‘google.com’. Create “Script or program” monitor (for local host, for any other host), give it a name “google.com” (without quotes) and use the below definition:
- Mode: Run program
- Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Arguments: -ExecutionPolicy Bypass -NoProfile -NonInteractive "& "C:\Scripts\get-site-certificate-expiration.ps1" -domain $MonitorName"
Note: if in doubt, get the full path to PowerShell executable by running
where powershell.exe
command.
Use the proposed PS1 script as template when necessary; you can obtain other various certificate properties this way.
Related links
