Certificate expiry: how to monitor the expiration of SSL certificates with Pandora FMS

Certificate expiry

Certificate expiry

Certificate expiry

Background

One of the main requirements and concerns of online platform administrators is the expiration of SSL certificates. In this article we’re going to look at how to monitor the validity of any website’s certificate using Pandora FMS and avoid being taken by surprise by expiry dates.

First things first; you’ll need a Pandora FMS server with Internet access, or at least with access to the specific web pages whose SSL certificates you want to monitor. The plugin we’re going to use will be executed by the Pandora FMS server and can be launched on any website, so the server’s location is important.

Deployment

Download ssl_plugin.sh from the official Pandora FMS plugin library, here.

Deploy the plugin in your Pandora FMS server’s directory, at:  /usr/share/pandora_server/util/plugin/

To deploy the plugin more easily you can make use of the WinSCP utility, which allows you to swap files between Windows (local PC) and Linux (Pandora FMS server) systems. If Linux is your habitual system, you can copy the plugin into your Pandora FMS server with this simple command:

scp /ssl_plugin.sh [email protected]:/allowed_path

In the above example, substitute <path> for the local path where the plugin is, for example /home/Antonio/Downloads, substituting username for a valid user of the Pandora FMS server, e.g. root, 192.168.50.1 for the IP address of the server in question, and /allowed/path for the path where you want to store the plugin on the Pandora FMS server. Remember that the user in username must have writing permissions over this path. A valid command would be:

scp/home/Antonio/Downloads/ssl_plugin.sh [email protected]:/etc/pandora/plugins

RegistrY

Once the plugin is deployed on the Pandora FMS server register it on the console in order to access the plugins section of the menu.

Define the plugin by filling out the fields as in the following screenshot:

The most important fields are Plug-in command, which has to be completed with the absolute path where the plugin is saved and Plug-in parameters, which should contain macro_field_1. It’s also important to establish the Max. parameter as a low value (a few seconds) so the server can finish the process in case of problems executing the plugin, and avoid leaving processes or threads open.

Certificate expiry

The other fields are descriptive and may be filled out according to your needs.

Execution

Once the plugin is registered on the console you can create a module to check the validity of the website’s SSL certificate and know at any time how much time is left on it. Create a new plugin module:

Creating the module is as easy as filling out some of the fields from the following form. Indicate a name to allow you to identify it, select the plugin you registered (in this case SSL certificate check, and a website to check (in this case pandorafms.org, and click Create:

Certificate expiry

Once it’s created, and providing there are no connectivity problems between server and website, the certificate’s validity will be displayed:

Thresholds (warning, critical) must be specified manually when creating modules, or editing them afterward, as they are not defined automatically by the plugin, and will not warn you of a certificate’s expiration by default. In the previous example the modules go to warning status starting from 100 days, and critical from 60 days.

Extension

Apart from the basic monitoring which the plugin offers, it’s easy to extend its logic as openssl has different options for finding out all kinds of information about the SSL certificate, such as date of issue, issuing entity, addressee, etc.

Certificate expiry

If you want to extend the plugin’s logic you need to modify it to include any of these additional checks. It’s also possible to make changes to the plugin to enable its execution from a software agent in order to perform checks from different locations, particularly useful if the Pandora FMS server has no Internet connection to the webs you want to monitor.