Updated to use OpenSSL and cert tags as subprocess no longer works with latest dd-agent
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import time | |
import datetime | |
from OpenSSL import crypto as c | |
from checks import AgentCheck | |
class SSLCheckExpireDays(AgentCheck): | |
def check(self, instance): | |
metric = "ssl.expire_in_days" | |
certfile = instance['cert'] | |
cert_tag = 'cert:%s' % (certfile.split('/')[-1:],) | |
date_format = "%Y%m%d%H%M%SZ" | |
cert = c.load_certificate(c.FILETYPE_PEM, file(certfile).read()) | |
output = cert.get_notAfter() | |
if output: | |
d0 = datetime.datetime.today() | |
d1 = datetime.datetime(*(time.strptime(output, date_format)[0:3])) | |
delta = d1 - d0 | |
self.gauge(metric, int(delta.days), tags=[cert_tag]) | |
else: | |
self.gauge(metric, -1, tags=[cert_tag]) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
init_config: | |
instances: | |
- cert: /etc/ssl/www.mywebsite1.com.crt | |
- cert: /etc/ssl/www.mywebsite2.com.crt | |
- cert: /etc/ssl/www.mywebsite3.com.crt |
You may want to add a tag to each gauge submission to differentiate the values collected for each cert. Maybe something like this:
cert = instance['cert']
cert_tag = 'cert:%s' % (cert.split('/')[-1:],) # should yield "cert:www.mywebsite1.com.crt" ; or change to whatever other tag method you'd prefer
...
self.gauge(metric, int(delta.days), tags=[cert_tag])
...
self.gauge(metric, -1, tags=[cert_tag])
Thanks @estib - I've updated the check with your suggestion and replaced the external subprocess command to use OpenSSL lib instead (according to DD support, the latest agent no longer supports the subprocess method I was using).
v5/v6 agent compatible:
try:
from checks import AgentCheck
except ImportError:
from datadog_checks.checks import AgentCheck
fix tags ending up as arrays (cert:cert_name.pem
instead of cert:['cert_name.pem']
)
cert_tag = 'cert:%s' % (cert.split('/')[-1],)
Hi.
Will this work for the windows agent ?
I mean the path to certificates is in a "linux" format. If so how is the path to certificates formatted?
Yeah i also need to get this working for a windows agent, is this possible?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi mrpatrick,
to make it also suitable for sites which use Server Name Indication (SNI) such as AWS CloudFront you should also add the -servername parameter.
For me it now works with
p = subprocess.Popen("echo | openssl s_client -connect " + site + ":443 -servername " + site + " 2>/dev/null | openssl x509 -noout -dates | grep notAfter | cut -f 2 -d\= | xargs -0 -I arg date -d arg \"+%s\"",stdout=subprocess.PIPE, shell=True)