It is good practice to separate Nagios checks of your web server being available from checking SSL certificate expiry. The latter need only be run once per day and should not add unnecessary noise to a more immediately important web service failure.
To use check_http to monitor SSL certificate expiry dates, first ensure you have a daily service definition – let’s call this service-daily. Now create two service commands as follows:
define command{
command_name check_cert
command_line /usr/lib/nagios/plugins/check_http -S \
-I $HOSTADDRESS$ -w 5 -c 10 -p $ARG1$ -C $ARG2$
}
define command{
command_name check_named_cert
command_line /usr/lib/nagios/plugins/check_http -S \
-I $ARG3$ -w 5 -c 10 -p $ARG1$ -C $ARG2$
}
The second is useful for checking named certificates on additional IP addresses on web servers serving multiple SSL domains.
We can use these to check SSL certificates for POP3, IMAP, SMTP and HTTP:
define service{
use service-daily
host_name mailserver
service_description POP3 SSL Certificate
check_command check_cert!993!21
}
define service{
use service-daily
host_name mailserver
service_description IMAP SSL Certificate
check_command check_cert!995!21
}
define service{
use service-daily
host_name mailserver
service_description SMPT SSL Certificate
check_command check_cert!465!21
}
define service{
use service-daily
host_name webserver
service_description SSL Cert: www.example.com
check_command check_named_cert!443!21!www.example.com
}
define service{
use service-daily
host_name webserver
service_description SSL Cert: www.example.net
check_command check_named_cert!443!21!www.example.net
}