CheckMk F5 Certificate Expiration using SNMP

Problem this snippet solves:

The default checks provided by CheckMK do not monitor for the traffic certificate expiration. I wrote a custom check to allow them to be discovered and monitored. The default values of 30 days for warning and 10 days for critical are defined and can be modified. The default certificates ('/Common/default.crt','/Common/f5-irule.crt','/Common/ca-bundle.crt','/Common/f5-ca-bundle.crt') are all ignored.

How to use this snippet:


Code :

#!/usr/bin/python
# -*- encoding: utf-8; py-indent-offset: 4 -*-
# +------------------------------------------------------------------+
# |             ____ _               _        __  __ _  __           |
# |            / ___| |__   ___  ___| | __   |  \/  | |/ /           |
# |           | |   | '_ \ / _ \/ __| |/ /   | |\/| | ' /            |
# |           | |___| | | |  __/ (__|   <    | |  | | . \            |
# |            \____|_| |_|\___|\___|_|\_\___|_|  |_|_|\_\           |
# |                                                                  |
# | Copyright Mathias Kettner 2017             mk@mathias-kettner.de |
# +------------------------------------------------------------------+
#
# This file is part of Check_MK.
# The official homepage is at http://mathias-kettner.de/check_mk.
#
# check_mk is free software;  you can redistribute it and/or modify it
# under the  terms of the  GNU General Public License  as published by
# the Free Software Foundation in version 2.  check_mk is  distributed
# in the hope that it will be useful, but WITHOUT ANY WARRANTY;  with-
# out even the implied warranty of  MERCHANTABILITY  or  FITNESS FOR A
# PARTICULAR PURPOSE. See the  GNU General Public License for more de-
# tails. You should have  received  a copy of the  GNU  General Public
# License along with GNU Make; see the file  COPYING.  If  not,  write
# to the Free Software Foundation, Inc., 51 Franklin St,  Fifth Floor,
# Boston, MA 02110-1301 USA.

## Custom check for F5 certificate expiration
## Author: Shaun Pillé
## Contact: shaun.pille@gmail.com
## Version 0.2


#define current date in epoch time
currdate = int(time.time())
cert_thresholds = []
#define warning and critical thresholds in days
custom_warn=30
custom_crit=10
#convert custom warning thresholds to epoch time
cert_thresholds = [(custom_warn*86400),(custom_crit*86400)]

#inventory all certificates installed on the F5
def inventory_f5_bigip_certs(info):
    ignore_list = set (['/Common/default.crt','/Common/f5-irule.crt','/Common/ca-bundle.crt','/Common/f5-ca-bundle.crt'])
    for certname, fulldate, epochdate in info:
        if certname not in ignore_list:
            yield certname, "cert_thresholds"

#check the expiration dates and return crit, warn, ok based on defined thresholds
def check_f5_bigip_certs(item, params, info):
    cert_warn, cert_crit = params
    state=0
    for certname, fulldate, epochdate in info:
        if certname == item:
            expires=(int(epochdate) - currdate)/86400
            if int(epochdate) - currdate < cert_crit:
                state=2
            elif int(epochdate) - currdate >= cert_crit and int(epochdate) - currdate <= cert_warn:
                state=1
            else:
                state=0

            infotext = "Valid for %d days" % expires

            if certname:
                infotext = ": ".join([infotext])

            if state > 0:
                infotext += " (warn/crit below %s/%s)" % (custom_warn, custom_crit)

            yield state, infotext, [("daysleft", expires, cert_warn, cert_crit)]

#checkdata to pull matching SNMP strings
check_info["f5_bigip_certs"] = {
    "check_function"        : check_f5_bigip_certs,
    "inventory_function"    : inventory_f5_bigip_certs,
    "service_description"   : "Certificate Expiration %s",
    "snmp_info"             : ( ".1.3.6.1.4.1.3375.2.1.15.1.2.1", [ 1,4,5 ] )
}

Tested this on version:

No Version Found
Published Sep 12, 2020
Version 1.0

Was this article helpful?

No CommentsBe the first to comment