通过脚本获取到证书到有效期结束还有多少天。
1 #!/bin/bash 2 host=$1 3 port=$2 4 end_date=`/usr/bin/openssl s_client -servername $host -host $host -port $port -showcerts </dev/null 2>/dev/null | 5 sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | 6 /usr/bin/openssl x509 -text 2>/dev/null | 7 sed -n 's/ *Not After : *//p'` 8 # openssl 检验和验证SSL证书。 9 # -servername $host 因一台主机存在多个证书,利用SNI特性检查 10 # </dev/null 定向标准输入,防止交互式程序。从/dev/null 读时,直接读出0 。 11 # sed -n 和p 一起使用,仅显示匹配到的部分。 //,// 区间匹配。 12 # openssl x509 -text 解码证书信息,包含证书的有效期。 13 14 if [ -n "$end_date" ] 15 then 16 end_date_seconds=`date '+%s' --date "$end_date"` 17 now_seconds=`date '+%s'` 18 echo "($end_date_seconds-$now_seconds)/24/3600" | bc 19 fi
也可以使用python获取到期时间,看个人所好
1 #!/usr/bin/python 2 import socket 3 import ssl 4 import datetime 5 import argparse 6 7 def ssl_expiry_datetime(hostname): 8 ssl_date_fmt = r'%b %d %H:%M:%S %Y %Z' 9 10 context = ssl.create_default_context() 11 conn = context.wrap_socket(socket.socket(socket.AF_INET),server_hostname=hostname,) 12 # 3 second timeout because Lambda has runtime limitations 13 conn.settimeout(3.0) 14 15 conn.connect((hostname, 443)) 16 ssl_info = conn.getpeercert() 17 # parse the string from the certificate into a Python datetime object 18 return datetime.datetime.strptime(ssl_info['notAfter'], ssl_date_fmt) 19 20 21 def ssl_valid_time_remaining(hostname): 22 """Get the number of days left in a cert's lifetime.""" 23 expires = ssl_expiry_datetime(hostname) 24 return expires - datetime.datetime.utcnow() 25 26 27 parser = argparse.ArgumentParser(description='returns the time before expiration of certificate') 28 parser.add_argument("-c","--hostname", help="hostname of the certificate you want to check") 29 args = parser.parse_args() 30 31 expire = ssl_valid_time_remaining(args.hostname) 32 #print int(round(datetime.timedelta.total_seconds(expire), 0)) 33 print expire.days
假如监控的证书不是很多,完全可以使用以上脚本,在zabbix中配置相应的item即可,若是证书很多,可以通过zabbix LLD的功能,如下是自动发现域名脚本:
1 #!/usr/bin/env python 2 #coding:utf-8 3 4 import os 5 import sys 6 import json 7 8 #这个函数主要是构造出一个特定格式的字典,用于zabbix 9 def ssl_cert_discovery(): 10 web_list=[] 11 web_dict={"data":None} 12 with open("/etc/zabbix/scripts/ssl_cert_list","r") as f: 13 for sslcert in f: 14 dict={} 15 dict["{#DOMAINNAME}"]=sslcert.strip().split()[0] 16 dict["{#PORT}"]=sslcert.strip().split()[1] 17 web_list.append(dict) 18 web_dict["data"]=web_list 19 jsonStr = json.dumps(web_dict,indent=4) 20 return jsonStr 21 if __name__ == "__main__": 22 print ssl_cert_discovery()
域名列表:
/etc/zabbix/scripts/ssl_cert_list: www.baidu.com 443 www.qq.com 443
zabbix配置:
/etc/zabbix/zabbix_agentd.conf.d/userparameter_sslcert.conf: UserParameter=sslcert_discovery,/usr/bin/python /etc/zabbix/scripts/sshcert_discovery.py UserParameter=sslcert.info[*],/bin/bash /etc/zabbix/scripts/check-cert-expire.sh $1 $2