How to Alert before SSL Certificate expire?

You can use Enterprise Manager for that : http://support.f5.com/kb/en-us/products/em/manuals/product/em-health-activity-monitoring-3-1-1/3.html?sr=32575194

Otherwise : https://devcentral.f5.com/questions/sending-logs-about-certification-expiry

Our CA automatically e-mails us when certs are approaching expiration. You might want to check into that with yours.

Chris

You might find this useful for manual checks: .

These are all good options, but if you don't have Enterprise Manager (the BEST option in my opinion) and your CA can't send you an email, I think there's nothing better that a script. Take a look at this one:

! /bin/bash

 set acceptable threshold in seconds (172800 seconds = 2 days)
threshold=25920000

 get today's date
this_date=`date +%s`


(IFS='
'

 loop through the stored certificates
output=`tmsh list / sys crypto one-line |grep "sys crypto cert"`

for f in ${output}
do
    cert=`echo $f |awk -F" " '{ print $4 }'`
    certdate=`expr match "$f" '.*\(expiration.*organization\)' |sed s/expiration// | sed s/organization//`
    expires=`date -d $certdate +%s`
    if [ $this_date -ge $(($expires - $threshold)) ]
    then
        expires_when=$(((expires - $this_date) / 60 / 60 / 24))
        echo "$cert is about to expire in $expires_when days"

         additional processing for expiring certs goes here 

    fi
done)

This should work for any v11 system. You'll need to make a few modifications/additions:

1. Set a valid threshold value in seconds (172800 seconds = 2 days)

2. Add whatever additional functions you need to happen on cert expiring (ie. mail notice, etc.)

3. Create an external monitor, bind this script to the monitor, and then bind the monitor to a "dummy" pool of servers - a pool not defined in any virtual server configuration. Doing this allows the monitor to fire on a schedule (like a cron job), but is also saved in the archive (unlike a cron job).

Do I need to change " output=tmsh list / sys crypto one-line |grep "sys crypto cert" "? If I using firmware 10.2.4.

The code is actually easier in 10.x because the certs are still stored in the directory.

! /bin/bash

 set acceptable threshold in seconds (172800 seconds = 2 days)
threshold=185920000

 get today's date
this_date=`date +%s`

 set path to certificates
cert_path=/config/ssl/ssl.crt/

for f in $cert_path*.crt
do
    this_cert_date_literal=`openssl x509 -in $f -noout -enddate |sed s/notAfter=//`
    this_cert_date=`date -d "$this_cert_date_literal" +%s`

    if [ $this_date -ge $(($this_cert_date - $threshold)) ]
    then
        expires_when=$(((this_cert_date - $this_date) / 60 / 60 / 24))
        echo "$f is about to expire in $expires_when days"

         additional processing for expiring certs goes here 
    fi
done

i have seen nagios used for this, not sure how it exactly was configured, but it monitored the virtual server and checked the expiration there. might not work in everything environment, but might be an idea.

Tried create a .sh file as per above script in v11 LTM but no output as such.

Tried create a .sh file as per above script in v11 LTM but no output as such.

1. Create and edit the script:

   vi certmonitor.sh

2. Copy the above code to the script and save it.

3. Chmod the script to make it executable:

   chmod 755 certmonitor.sh

4. Run it:

   ./certmonitor.sh

There are two versions of the script above. The first is for 11.x, and the second is for 10.x.

Thanks evryone for the reply!!I was trying chmod 700 then it was not working but with chmod 755 its working.But it gives bundle or chain certificates expiry date.I m running 11.4.1 version may be tmsh list / sys crypto one-line checking cert for the customers in cert_path=/config/ssl/ssl.crt/ is different for 11.4.x version.

Does adding these two alerts to '/config/user_alert.conf' not work anymore?

alert CERT_WILL_EXPIRE "crt will expire on" {
  snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.502";
  email toaddress="root@example.com"
  body="Cert will expire message from BigIP"
}

alert CERT_WILL_EXPIRE "crt expired on" {
  snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.503";
  email toaddress="root@example.com"
  body="Cert expired message from BigIP"
}

Other than there being no more postfix, but thought there was some other way, though I haven't gotten around to looking. But, its on my list re-implement getting alerts about going standby/active. Seems a pair of vCMPs will periodically oscillate, which was discovered by wonder what we were doing to cause the spikes in CPU utilization...

But for certificate reporting/alerting....I'm now using the certificate report feature of a tweaked version of the "Config Backup for F5" appliance.

My version can be found on github.

Just need to re-train myself to pay attention to the emails occasionally. And, figure out how to get it to send us the backup logs...among other wish list items.

LK