Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Updated to use OpenSSL and cert tags as subprocess no longer works with latest dd-agent
import time
import datetime
from OpenSSL import crypto as c
from checks import AgentCheck
class SSLCheckExpireDays(AgentCheck):
def check(self, instance):
metric = "ssl.expire_in_days"
certfile = instance['cert']
cert_tag = 'cert:%s' % (certfile.split('/')[-1:],)
date_format = "%Y%m%d%H%M%SZ"
cert = c.load_certificate(c.FILETYPE_PEM, file(certfile).read())
output = cert.get_notAfter()
if output:
d0 =
d1 = datetime.datetime(*(time.strptime(output, date_format)[0:3]))
delta = d1 - d0
self.gauge(metric, int(delta.days), tags=[cert_tag])
self.gauge(metric, -1, tags=[cert_tag])
- cert: /etc/ssl/
- cert: /etc/ssl/
- cert: /etc/ssl/

This comment has been minimized.

Copy link

@flutist599 flutist599 commented Mar 8, 2016

Hi mrpatrick,

to make it also suitable for sites which use Server Name Indication (SNI) such as AWS CloudFront you should also add the -servername parameter.

For me it now works with

p = subprocess.Popen("echo | openssl s_client -connect " + site + ":443 -servername " + site + " 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -f 2 -d\= | xargs -0 -I arg date -d arg \"+%s\"",stdout=subprocess.PIPE, shell=True)


This comment has been minimized.

Copy link

@estib estib commented May 11, 2017

You may want to add a tag to each gauge submission to differentiate the values collected for each cert. Maybe something like this:

        cert = instance['cert']
        cert_tag = 'cert:%s' % (cert.split('/')[-1:],)  # should yield "" ; or change to whatever other tag method you'd prefer
            self.gauge(metric, int(delta.days), tags=[cert_tag])
            self.gauge(metric, -1, tags=[cert_tag])

This comment has been minimized.

Copy link
Owner Author

@mrpatrick mrpatrick commented Jul 19, 2017

Thanks @estib - I've updated the check with your suggestion and replaced the external subprocess command to use OpenSSL lib instead (according to DD support, the latest agent no longer supports the subprocess method I was using).


This comment has been minimized.

Copy link

@eedwards-sk eedwards-sk commented Dec 3, 2018

v5/v6 agent compatible:

    from checks import AgentCheck
except ImportError:
    from datadog_checks.checks import AgentCheck

fix tags ending up as arrays (cert:cert_name.pem instead of cert:['cert_name.pem'])

cert_tag = 'cert:%s' % (cert.split('/')[-1],)

This comment has been minimized.

Copy link

@t-dk t-dk commented Mar 19, 2019

Will this work for the windows agent ?
I mean the path to certificates is in a "linux" format. If so how is the path to certificates formatted?


This comment has been minimized.

Copy link

@eugenecg eugenecg commented Sep 8, 2020

Yeah i also need to get this working for a windows agent, is this possible?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.