Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Updated to use OpenSSL and cert tags as subprocess no longer works with latest dd-agent
import time
import datetime
from OpenSSL import crypto as c
from checks import AgentCheck
class SSLCheckExpireDays(AgentCheck):
def check(self, instance):
metric = "ssl.expire_in_days"
certfile = instance['cert']
cert_tag = 'cert:%s' % (certfile.split('/')[-1:],)
date_format = "%Y%m%d%H%M%SZ"
cert = c.load_certificate(c.FILETYPE_PEM, file(certfile).read())
output = cert.get_notAfter()
if output:
d0 = datetime.datetime.today()
d1 = datetime.datetime(*(time.strptime(output, date_format)[0:3]))
delta = d1 - d0
self.gauge(metric, int(delta.days), tags=[cert_tag])
else:
self.gauge(metric, -1, tags=[cert_tag])
init_config:
instances:
- cert: /etc/ssl/www.mywebsite1.com.crt
- cert: /etc/ssl/www.mywebsite2.com.crt
- cert: /etc/ssl/www.mywebsite3.com.crt
@flutist599

This comment has been minimized.

Copy link

commented Mar 8, 2016

Hi mrpatrick,

to make it also suitable for sites which use Server Name Indication (SNI) such as AWS CloudFront you should also add the -servername parameter.

For me it now works with

p = subprocess.Popen("echo | openssl s_client -connect " + site + ":443 -servername " + site + " 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -f 2 -d\= | xargs -0 -I arg date -d arg \"+%s\"",stdout=subprocess.PIPE, shell=True)

@estib

This comment has been minimized.

Copy link

commented May 11, 2017

You may want to add a tag to each gauge submission to differentiate the values collected for each cert. Maybe something like this:

        cert = instance['cert']
        cert_tag = 'cert:%s' % (cert.split('/')[-1:],)  # should yield "cert:www.mywebsite1.com.crt" ; or change to whatever other tag method you'd prefer
...
            self.gauge(metric, int(delta.days), tags=[cert_tag])
...
            self.gauge(metric, -1, tags=[cert_tag])
@mrpatrick

This comment has been minimized.

Copy link
Owner Author

commented Jul 19, 2017

Thanks @estib - I've updated the check with your suggestion and replaced the external subprocess command to use OpenSSL lib instead (according to DD support, the latest agent no longer supports the subprocess method I was using).

@eedwards-sk

This comment has been minimized.

Copy link

commented Dec 3, 2018

v5/v6 agent compatible:

try:
    from checks import AgentCheck
except ImportError:
    from datadog_checks.checks import AgentCheck

fix tags ending up as arrays (cert:cert_name.pem instead of cert:['cert_name.pem'])

cert_tag = 'cert:%s' % (cert.split('/')[-1],)
@t-dk

This comment has been minimized.

Copy link

commented Mar 19, 2019

Hi.
Will this work for the windows agent ?
I mean the path to certificates is in a "linux" format. If so how is the path to certificates formatted?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.