Monitoring SSL Certificates Expiration with Nagios XI

Introduction

SSL certificates play a crucial role in securing websites and applications by encrypting communication. Expired SSL certificates can lead to security warnings, service disruptions, and loss of trust from users. Nagios XI provides a reliable way to monitor SSL certificates and ensure they are renewed before expiration. This guide will walk you through setting up SSL certificate expiration monitoring in Nagios XI.

Why Monitor SSL Certificate Expiration?

• Avoid Service Interruptions – Prevent downtime due to expired certificates.
• Enhance Security – Ensure continued encryption and protection.
• Maintain Compliance – Meet security standards and best practices.
• Automate Monitoring – Receive alerts before certificates expire.

Setting Up SSL Certificate Expiration Monitoring

Nagios XI uses plugins to check SSL certificate validity. The check_ssl_certificate plugin can help monitor expiration dates and send alerts.

Step 1: Install the Required Plugin

Nagios XI supports various plugins, and the check_ssl_cert plugin is commonly used.

Installing check_ssl_cert

cd /usr/local/nagios/libexec
wget https://raw.githubusercontent.com/matteocorti/check_ssl_cert/master/check_ssl_cert
chmod +x check_ssl_cert

Step 2: Create a New Command in Nagios XI

• Log in to Nagios XI and navigate to Configure > Core Config Manager.
• Go to Commands and click Add New Command.
• Configure the command as follows:
  • Command Name:

check_ssl_certificate

• Command Line:

$USER1$/check_ssl_cert -H $ARG1$ -w $ARG2$ -c $ARG3$

• Description: Monitors SSL certificate expiration.
• Click Save and Apply Configuration.

Step 3: Add a New Service to Monitor SSL Expiration

1. Go to Configure > Core Config Manager > Services.
2. Click Add New Service.
3. Configure the service:
   • Host: Select the target website or server.
   • Check Command: check_ssl_certificate.
   • Arguments:
     • $ARG1$ – The domain name (e.g., example.com).
     • $ARG2$ – Warning threshold in days (e.g., 30 for 30 days before expiration).
     • $ARG3$ – Critical threshold in days (e.g., 15 for critical alerts within 15 days).
   • Check Interval: Set the frequency of checks.
   • Click Save and Apply Configuration.

Step 4: Test the SSL Monitoring Setup

After configuration, force a check in Nagios XI:

/usr/local/nagios/libexec/check_ssl_cert -H example.com -w 30 -c 15

If the certificate is valid, the output should indicate the number of days remaining before expiration.

Step 5: Configure Notifications and Alerts

1. Go to Configure > Notification Preferences.
2. Enable email or SMS notifications.
3. Set up escalation rules to alert different teams as the expiration date nears.

Conclusion

Monitoring SSL certificates with Nagios XI ensures your website and applications remain secure and accessible. By setting up automated checks and alerts, you can avoid expired SSL issues and maintain continuous encryption. Regularly review your SSL monitoring setup to ensure effectiveness and compliance with security best practices.