Skip to content

Instantly share code, notes, and snippets.

Last active September 8, 2020 07:39
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Updated to use OpenSSL and cert tags as subprocess no longer works with latest dd-agent
import time
import datetime
from OpenSSL import crypto as c
from checks import AgentCheck
class SSLCheckExpireDays(AgentCheck):
def check(self, instance):
metric = "ssl.expire_in_days"
certfile = instance['cert']
cert_tag = 'cert:%s' % (certfile.split('/')[-1:],)
date_format = "%Y%m%d%H%M%SZ"
cert = c.load_certificate(c.FILETYPE_PEM, file(certfile).read())
output = cert.get_notAfter()
if output:
d0 =
d1 = datetime.datetime(*(time.strptime(output, date_format)[0:3]))
delta = d1 - d0
self.gauge(metric, int(delta.days), tags=[cert_tag])
self.gauge(metric, -1, tags=[cert_tag])
- cert: /etc/ssl/
- cert: /etc/ssl/
- cert: /etc/ssl/
Copy link

Hi mrpatrick,

to make it also suitable for sites which use Server Name Indication (SNI) such as AWS CloudFront you should also add the -servername parameter.

For me it now works with

p = subprocess.Popen("echo | openssl s_client -connect " + site + ":443 -servername " + site + " 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -f 2 -d\= | xargs -0 -I arg date -d arg \"+%s\"",stdout=subprocess.PIPE, shell=True)

Copy link

estib commented May 11, 2017

You may want to add a tag to each gauge submission to differentiate the values collected for each cert. Maybe something like this:

        cert = instance['cert']
        cert_tag = 'cert:%s' % (cert.split('/')[-1:],)  # should yield "" ; or change to whatever other tag method you'd prefer
            self.gauge(metric, int(delta.days), tags=[cert_tag])
            self.gauge(metric, -1, tags=[cert_tag])

Copy link

Thanks @estib - I've updated the check with your suggestion and replaced the external subprocess command to use OpenSSL lib instead (according to DD support, the latest agent no longer supports the subprocess method I was using).

Copy link

v5/v6 agent compatible:

    from checks import AgentCheck
except ImportError:
    from datadog_checks.checks import AgentCheck

fix tags ending up as arrays (cert:cert_name.pem instead of cert:['cert_name.pem'])

cert_tag = 'cert:%s' % (cert.split('/')[-1],)

Copy link

t-dk commented Mar 19, 2019

Will this work for the windows agent ?
I mean the path to certificates is in a "linux" format. If so how is the path to certificates formatted?

Copy link

eugenecg commented Sep 8, 2020

Yeah i also need to get this working for a windows agent, is this possible?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment