Forum Discussion
Kevin_Leicht_51
Nimbostratus
NimbostratusSSL Expiry Notification
Hello,
We're running LTM 11.2.0 and would like to be notified when an SSL certificate is going to expire; ideally a month or so in advance. In previous version of LTM, this was written to the ltm log and could be alerted via SNMP, etc. (http://support.f5.com/kb/en-us/solutions/public/7000/500/sol7574.html?sr=25681694) However, it looks like that functionality has gone away in 11.2. There is a tmos command that will do the trick, but it's not scheduled. (tmsh sys crypto run check-cert). I'm sure I should know how to do this, but is there a way to schedule this so that it runs weekly and we get notified about SSL certificates expiring?
7 Replies
What_Lies_Bene1Cirrostratus
You could create a cron job to run the command weekly. Post back if you need help with setting it up.- What_Lies_Bene1Also, I think an SNMP trap is still generated.
Kevin_Leicht_51Thanks for that. I'll see if I can figure out setting up a cron job and if not, I'll post back. I believe you're right about SNMP, but we're using remote syslog and generating alerts from that, so would prefer to grab it out of the log. Cheers,- Kevin_Leicht_51I'm hoping that this is the crontab format to run a the tmsh command weekly on Monday morning:
0 9 * * 1 tmsh run sys crypto check-cert - What_Lies_Bene1Looks good to me. Have you confirmed the command generates log entries? If it doesn't you'll need to redirect the output to somewhere?
- Kevin_Leicht_51Yep, as long as there's a cert within 30 days of expiry, it writes an entry to the log, so I'm good to go, thanks. If there aren't any certificates expiring within the 30 day window, it doesn't write any output. The challenge for me was, as always, remembering how vi works.
Cheers, Kevin - What_Lies_Bene1I'll make a note for future reference. One last thing, I think the best way to edit cron is using the crontab -e command. Cheers
