监控案例一--监控HTTPS证书过期

 

通过脚本获取到证书到有效期结束还有多少天。

 1 #!/bin/bash
 2 host=$1
 3 port=$2
 4 end_date=`/usr/bin/openssl s_client -servername $host -host $host -port $port -showcerts </dev/null 2>/dev/null |
 5   sed -n '/BEGIN CERTIFICATE/,/END CERT/p' |
 6   /usr/bin/openssl  x509 -text 2>/dev/null |
 7   sed -n 's/ *Not After : *//p'`
 8 # openssl 检验和验证SSL证书。
 9 # -servername $host 因一台主机存在多个证书,利用SNI特性检查
10 # </dev/null 定向标准输入,防止交互式程序。从/dev/null 读时,直接读出0 。
11 # sed -n 和p 一起使用,仅显示匹配到的部分。 //,// 区间匹配。
12 # openssl x509 -text 解码证书信息,包含证书的有效期。
13 
14 if [ -n "$end_date" ]
15 then
16     end_date_seconds=`date '+%s' --date "$end_date"`
17     now_seconds=`date '+%s'`
18     echo "($end_date_seconds-$now_seconds)/24/3600" | bc
19 fi
View Code

也可以使用python获取到期时间,看个人所好

 1 #!/usr/bin/python
 2 import socket
 3 import ssl
 4 import datetime
 5 import argparse
 6 
 7 def ssl_expiry_datetime(hostname):
 8     ssl_date_fmt = r'%b %d %H:%M:%S %Y %Z'
 9 
10     context = ssl.create_default_context()
11     conn = context.wrap_socket(socket.socket(socket.AF_INET),server_hostname=hostname,)
12     # 3 second timeout because Lambda has runtime limitations
13     conn.settimeout(3.0)
14 
15     conn.connect((hostname, 443))
16     ssl_info = conn.getpeercert()
17     # parse the string from the certificate into a Python datetime object
18     return datetime.datetime.strptime(ssl_info['notAfter'], ssl_date_fmt)
19 
20 
21 def ssl_valid_time_remaining(hostname):
22     """Get the number of days left in a cert's lifetime."""
23     expires = ssl_expiry_datetime(hostname)
24     return expires - datetime.datetime.utcnow()
25 
26 
27 parser = argparse.ArgumentParser(description='returns the time before expiration of certificate')
28 parser.add_argument("-c","--hostname", help="hostname of the certificate you want to check")
29 args = parser.parse_args()
30 
31 expire = ssl_valid_time_remaining(args.hostname)
32 #print int(round(datetime.timedelta.total_seconds(expire), 0))
33 print expire.days
View Code

 假如监控的证书不是很多,完全可以使用以上脚本,在zabbix中配置相应的item即可,若是证书很多,可以通过zabbix LLD的功能,如下是自动发现域名脚本:

 1 #!/usr/bin/env python
 2 #coding:utf-8
 3 
 4 import os
 5 import sys
 6 import json
 7 
 8 #这个函数主要是构造出一个特定格式的字典,用于zabbix
 9 def ssl_cert_discovery():
10     web_list=[]
11     web_dict={"data":None}
12     with open("/etc/zabbix/scripts/ssl_cert_list","r") as f:
13         for sslcert in f:
14             dict={}
15             dict["{#DOMAINNAME}"]=sslcert.strip().split()[0]
16             dict["{#PORT}"]=sslcert.strip().split()[1]
17             web_list.append(dict)
18     web_dict["data"]=web_list
19     jsonStr = json.dumps(web_dict,indent=4)
20     return jsonStr
21 if __name__ == "__main__":
22     print ssl_cert_discovery()
View Code

域名列表:

/etc/zabbix/scripts/ssl_cert_list:
www.baidu.com 443
www.qq.com 443

zabbix配置:

/etc/zabbix/zabbix_agentd.conf.d/userparameter_sslcert.conf:
UserParameter=sslcert_discovery,/usr/bin/python  /etc/zabbix/scripts/sshcert_discovery.py
UserParameter=sslcert.info[*],/bin/bash /etc/zabbix/scripts/check-cert-expire.sh $1 $2

 

posted @ 2020-09-01 19:22  摩天居士-谢烟客  阅读(397)  评论(0编辑  收藏  举报