Certificate Monitoring and Alerts

Automated monitoring detects certificate issues before expiration or configuration problems affect users. Implement multiple monitoring layers for comprehensive coverage.

Monitoring setup:

#!/bin/bash
# Certificate expiration monitoring script

check_cert_expiry() {
    local domain=$1
    local port=${2:-443}
    local warning_days=${3:-30}
    
    expiry_date=$(echo | openssl s_client -servername "$domain" -connect "$domain:$port" 2>/dev/null | openssl x509 -noout -enddate | cut -d= -f2)
    expiry_epoch=$(date -d "$expiry_date" +%s)
    current_epoch=$(date +%s)
    days_left=$(( (expiry_epoch - current_epoch) / 86400 ))
    
    if [ $days_left -lt $warning_days ]; then
        echo "WARNING: $domain certificate expires in $days_left days"
        return 1
    fi
    return 0
}

# Monitor multiple domains
domains="example.com api.example.com secure.example.com"
for domain in $domains; do
    if ! check_cert_expiry "$domain" 443 30; then
        # Send alert
        mail -s "Certificate expiration warning: $domain" [email protected] <<< "Certificate for $domain expires soon"
    fi
done

# Integration with monitoring systems
# Nagios/Icinga plugin example
cat > /usr/lib/nagios/plugins/check_ssl_cert <<'EOF'
#!/bin/bash
# Nagios plugin for SSL certificate monitoring
# Returns: 0=OK, 1=WARNING, 2=CRITICAL, 3=UNKNOWN

DOMAIN=$1
WARNING_DAYS=${2:-30}
CRITICAL_DAYS=${3:-7}

# ... (certificate check logic)

if [ $days_left -lt $CRITICAL_DAYS ]; then
    echo "CRITICAL: Certificate expires in $days_left days"
    exit 2
elif [ $days_left -lt $WARNING_DAYS ]; then
    echo "WARNING: Certificate expires in $days_left days"
    exit 1
else
    echo "OK: Certificate valid for $days_left days"
    exit 0
fi
EOF