For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

r23_78178's avatar
r23_78178
Icon for Nimbostratus rankNimbostratus
Jan 13, 2012

iRule idea check certificate

Hi,

 

 

I am occasionally tasked with checking ssl certificates on my customer's F5 LTM.

 

This is a manual task and it takes time and adding beaureaucracy means updating in the last minute.

 

 

I have an idea. What if I create an IRule to check certificates using something like :

 

openssl x509 -in /config/ssl/ssl.crt/default.crt -noout -enddate |cut -c10-40

 

and then send a notification that a certificate will expire in the next 2-3 months.

 

 

I am a beginner with all iRules. Is this feasible/possible ? How should I start ?

 

application delivery
dev
devops
iRules

7 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jan 13, 2012
    Hi r23,

     

     

    You could use openssl to do this. An iRule probably wouldn't be the right tool to run the script. You could create a script and call it from cron though. Or here's an iControl example form George Watkins:

     

     

    http://devcentral.f5.com/wiki/iControl.SSLCertificateReport.ashx

     

     

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 13, 2012
    i think it could be possible. for example, irule may inject message to log which can trigger alertd to run script and send email notification.

     

     

    anyway, do you know by default there is checkcert script?

     

     

    sol7574: Monitoring SSL certificate expiration on the BIG-IP system

     

    http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7574.html
  • r23_78178's avatar
    r23_78178
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2012
    But "checkcert" only warns of 30 days (1 month) , I need 2-3 months.

     

    Can it be configured ?
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 13, 2012
    Can it be configured ?the number of day is not configurable. is external script like the one below useful?

     

     

    Proactively Handling Certificate Expiration With ssl-cert-check

     

    http://prefetch.net/articles/checkcertificate.html
  • r23_78178's avatar
    r23_78178
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2012
    BTW - that example from George Watkins uses Ruby. Not sure if I would get client approval for that.But I will take a look and try to ask as I go along.If you know of any other examples please let me know.
  • r23_78178's avatar
    r23_78178
    Icon for Nimbostratus rankNimbostratus
    Jan 13, 2012
    @nitass

     

     

    for example, irule may inject message to log which can trigger alertd to run script and send email notification.

     

     

    If you know a good example of this please provide , I may end up hybridizing the two rules together.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jan 13, 2012
    i do not have exact example but hope these might be useful.

     

     

    log wiki (to inject message to log)

     

    http://devcentral.f5.com/wiki/iRules.log.ashx

     

     

    Acton on Log - using the alertd deamon (to run script based on log)

     

    http://devcentral.f5.com/wiki/AdvDesignConfig.Acton-on-Log-using-the-alertd-deamon.ashx