Follow

How to Create a Template to Monitor for SSL Certificate Expiration

Applies To

  • Zenoss Resource Manager 4.2.x

Summary

Zenoss Resource Manager enables you to create templates to monitor SSL certificates for expiration. This KB explains how to create an SSL certificate expiration monitor template that can monitor not just a Zenoss device but also webservers running on a particular URL.

Procedure

This procedure assumes Nagios is installed and running. This procedure uses the check_http Nagios plugin to receive alerts that an SSL certificate has expired or is soon to expire on a particular URL.

For more information on the Nagios check_http plugin, see the Nagios Plugins man pages.

To create an SSL certificate monitor template in Resource Manager, perform the following:

Create a New Device Template

  1. In Resource Manager, add a new device in /Devices/Web.
    For example, add a device named google.com.
  2. When the device is in place, expand the Monitoring Templates list in the left-side menu. By default the Device template displays.
  3. Click the gear icon at the bottom of the menu.
  4. Choose Add Local Template.
  5. Name the template. For example Cert_Check.
    Because the template is blank when it is created, a Data Source must be added.
  6. Add a new data source to the template. Select the '+' sign to display the Add a Data Source dialog.
  7. Name the Data Source, for example CertificateCheck.
  8. Change the Type to COMMAND
  9. Click Submit to save and close the dialog.

Configure the Data Source

Double-click the new (CertificateCheck) Data Source to open and configure it. Set or verify the following information:

  • Event Class field - default should work.
  • Parser field - set to Nagios.
  • Component field - Can be empty or define a description, for example, set to Certificate to be descriptive in the event information.
  • Severity fielld - default should work.
  • Cycle Time field - default should work.
    Note: Although the default 300 second cycle time (every 5 minutes) should work, adjust this value to suit your use case.
  • Event Key field - leave empty.
  • Command Template - This defines the activity. For example, paste the following line in:
    /usr/lib64/nagios/plugins/check_http -H ${dev/id} -C 200

    This line directs the check_http plugin to check against the value of the device ID (in this example, google.com) and determine the certificate validity. The -C switch specifies the minimum number of days remaining for a certificate to be valid without triggering an event. In this example, 200 days. Adjust this value as required for your use case. The following screen capture shows the example event generated because the SSL Cetificate expires in 76 days and the example checks for a value of 200 days or less:

    ssl_cert_check_thumb.png (click for larger view)

Other Considerations

Device Already Monitored

If you have a device running SSL for a web service this is being monitored by Zenoss Resource Manager, it can also be monitored for SSL certificate expiration. To configure this monitoring:

  1. In the Zenoss Resource Manager UI, navigate to the existing device.
  2. Follow the above procedure, starting with step #2.

Adjusting the Command Template

It might be necessary to adjust the code for the command template due to how host IDs resolve. In the provided Command Template example, the string ${dev/id} gets converted to the ID of the device in Resource Manager. This string works for the example because the test device uses google.com as the ID. However, this might not always work because of how the host ID resolves. For example, if a device has an ID of test.device.domain but it hosts a site that resolves to my-internal-site.domain, the Command Template must be altered. To monitor that device for the SSL certificate expiration, perform the above procedure starting with step #2 and define the Command Template entry to suit your use case, for example:

/usr/lib64/nagios/plugins/check_http -H my-internal-site.domain -C 200

For additional information on the Nagios plugin see:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk