Monitor OpenVPN Certificate expiration dates
I'm trying to find info on how to in CLI to check the expiration date of the OpenVPN certificates so that i can do a simple plugin for nagios to alert me when there is only 1 week left on the cert.
or do i need to use the UI to fetch this info?
The user certificates are not stored on the filesystem in an easily readable format. They are kept in the config.xml but they are base64 encoded there.
If the CA and server certificates are in use by OpenVPN or IPsec they can be found in /var/etc/openvpn/ or /var/etc/ipsec/ with the name varying depending on the exact instance and its usage.
Otherwise you'll need something to loop through the certs in the config, decode them, and check the dates. Not terribly difficult but not something we have a command-line script for at the moment
sweet, thx!! made my day :)
You can monitor OpenVPN server certificate with the following Nagios plugin, https://github.com/matteocorti/check_ssl_cert using a command like the following:
check_ssl_cert -H localhost -f /etc/openvpn/server/server.crt -w 15 -c 7
Just note that you will require to send a passive check result to Nagios as the check is being performed in the OpenVPN server itself.