Numerous updates to the SSL certificate expiration program

With the help of various contributors, I’ve integrated some new features and a number of bug fixes to ssl-cert-check over the past couple of months. If you aren’t familiar with this tool, it’s a bash script that you can use to notify you prior to your certificates expiring. You can read more about the script by surfing over to the ssl-cert-check documentation page.

Updated version of content-check

After finishing the first version of content-check, I thought about a few additional features I wanted to add. One feature was the ability to include arbitrary HTTP headers in requests, and a second feature was the ability to selectively generate email, syslog entries or logfiles entries per site. After pondering the best way to add these capabilities, I decided to rewrite content-check in Perl. The new version works similarly to the old version, but the structure of the configuration file is different.

The configuration file now contains one or more configuration stanzas, and each configuration stanza contains a site definition. Each site definitions starts with a description enclosed in brackets, followed by one or more key-value pairs. Here is the site definition file I use to monitor prefetch.net:

$ cat sites.cfg

# Monitor static content
[site pair_static]
    url      = http://prefetch.net/index.html
    checksum = 955abe0f861480103b59f464d6037b3febd6c89c
    header   = "Host: prefetch.net"
    logfile  = /var/log/content-check/pair
    syslog  = yes
    email   = sysadmin@prefetch.net

# Monitor the PHP engine / MySQL Database
[site pair_dynamic]
    url      = http://prefetch.net/test.php
    checksum = 0e61ac076628741cfc4d4828b1cc905e5e6e86b9
    header   = "Host: prefetch.net"
    logfile  = /var/log/content-check/pair
    syslog  = yes
    email   = sysadmin@prefetch.net

To generate the checksum for a specific URL, you can run content-check.pl with the “-g” option:

$ content-check.pl -g http://prefetch.net/index.html
Checksum for http://prefetch.net/index.html is: 955abe0f861480103b59f464d6037b3febd6c89c

Once the configuration file is created, content-check.pl can be run with the “-c” option, and the name of the configuraiton file:

$ content-check.pl -c sites.cfg

If the script locates a site that fails to checksum to the stored checksum, it will send an email, generate a syslog entry, or create a generic logfile entry similar to the following:

Content-check detected a problem with http://prefetch.net/index.html:
    Site definition: prefetch_static
    Date: Sun Dec 17 21:40:03 2006
    URL: http://prefetch.net/index.html
    Precomputed checksum: 955abe0f861480103b59f464d6037b3febd6c89c
    Current checksum: da39a3ee5e6b4b0d3255bfef95601890afd80709

I find this script useful for monitoring the web infrastructure I support, and the new version was fun to write (this was the first time I mucked with Perl references). Shibby!

Measuring website latency with http_ping

A year or so ago, I modified my ldap-ping.pl script to create a script (http-ping.pl) that would measure the time it took to retrieve a specific URI from a web server. While scouring the OpenBSD ports collection for website monitoring tools, I came across http_ping. This is a great tool for measuring the time it takes to retrieve a URI, and is a far superior tool to the one I wrote. Here is an example of http_ping in action:

$ http_ping http://prefetch.net/

6220 bytes from http://prefetch.net/: 290.232 ms (79.652c/89.816r/120.764d)
6220 bytes from http://prefetch.net/: 281.06 ms (70.564c/90.036r/120.46d)
6220 bytes from http://prefetch.net/: 281.274 ms (70.968c/89.61r/120.696d)
6220 bytes from http://prefetch.net/: 290.858 ms (80.459c/89.81r/120.589d)
^C
--- http://prefetch.net/ http_ping statistics ---
4 fetches started, 4 completed (100%), 0 failures (0%), 0 timeouts (0%)
total    min/avg/max = 281.06/285.856/290.858 ms
connect  min/avg/max = 70.564/75.4108/80.459 ms
response min/avg/max = 89.61/89.818/90.036 ms
data     min/avg/max = 120.46/120.627/120.764 ms

There are all kinds of nifty pieces of software stashed away in the OpenBSD ports collection, and I am on a mission to locate and blog about each and every one of them! :)

New version of ssl-cert-check

I received a nifty patch from Ken Gallo to allow ssl-cert-check to report when certificates stored in a PKCS#12 database will expire. This is super useful, especially if you are managing iPlanet/SunONE/Netscape products. If you haven’t used ssl-cert-check before, it’s a bourne shell script that can be used to alert you prior to a certificate expiring. The script is available on prefetch.net, and is documented in the article proactively handling SSL certificate expiration. Thanks Ken for the awesome patch!

Opensource rocks!

I received two more awesome patches for ssl-cert-check. Ken Gallo sent me a patch to allow ssl-cert-check to process certificates stored in PKCS#12 databases, and I am hoping to integrate his changes this upcoming weekend. Quanah Gibson-Mount sent me a patch that adds nagios support to ssl-cert-check, and also adjusts the default binary locations to work on more systems out of the box. Since numerous people are contributing patches to make opensource solutions better, I truly do think opensource is the way to go (I think closed source solutions have value as well)! With opensource solutions, you have access to the source, you can change things to suit your needs, and the changes you make will most likely benefit lots of people. You can download the new version of ssl-cert-check from my website, and I would like to thank Quanah and Ken for their awesome contributions!

New version of ssl-cert-check

I got a couple of patches for ssl-cert-check, and released version 3.4 to my website. The patches address a couple of annoying bugs, and I changed the global binary paths to to work by default on Solaris, BSD and Solaris systems. If you haven’t used ssl-cert-check before, you can check out my article Proactively handling SSL certificate expiration with ssl-cert-check to see what it does.