Blog Posts
Monitor SSL Certificates w/ CheckMK's Agents

Monitor SSL Certificates w/ CheckMK's Agents

February 5, 2025·Tyler Rasmussen
Tyler Rasmussen

Let’s Encrypt recently sent out a notification indicating that they will be no longer sending email notifications when a certificate is near expiration. For most services this isn’t an issue as I’ve been using CheckMK’s SSL Certificate Check to monitor any certificate directly reachable by CheckMK itself.

But what about services which require an SSL certificate not exposed externally? Or.. the service is exposed externally but you’d prefer not to allow CheckMK direct access to the requisite port just for the sake of monitoring.

Thankfully I ran across the sslcertificates plugin graciously written and provided by Heinlein Support. Using this plugin, I could have the CheckMK agent installed directly on reach host check the certificate and report back the status of the certificate(s).

Here is the installation procedure I followed.

Install ChecKMK Extension

Logon to your CheckMK server and browse to the root of your CheckMK site.

ℹ️
You can determine the Site Name by looking at the URL when logged into CheckMK. For example, given the URL: https://checkmk.twobyte.blog/cmksite, the site name would be cmksite. 
cd /opt/omd/sites/[SITE NAME]

Download the sslcertificates plugin.

wget https://github.com/HeinleinSupport/check_mk_extensions/blob/cmk2.2/sslcertificates/sslcertificates-8.8.0.mkp

Log into OMD, connecting to your site.

sudo omd su [SITE NAME]

Install the plugin and enable it within CheckMK.

mkp add sslcertificates-8.7.2.mkp
mkp enable sslcertificates

Delete the plugin file as its no longer needed.

rm sslcertificates-8.7.2.mkp

Install Agent Plugin

Install the respective script onto each host’s plugins directory. Heinlein Support provides a script to cover both Windows and Linux hosts.

Copy the sslcertificates.ps1 script into C:\ProgramData\checkmk\agent\plugins.
Copy the sslcertificate.sh script into /usr/lib/check_mk_agent/local/.
ℹ️
Check CheckMK’s documentation for the plugin location for other OSes.

Service Discovery

Back on CheckMK (via web browser):

  1. Browse to Setup >> Service monitoring rules >> Parameters for SSL certificates.
  2. Create a new rule with your preferred settings for monitoring SSL certificates.

SSL Certificate Parameters

  1. Lastly, under Setup >> Hosts, run a Service Discovery on the affected hosts. Accept the new SSL Certificate service which will appear as a unmonitored service.
  2. Activate the changes.

Thats it! Looking at one our hosts, we now see the SSL certificate(s) being monitored via the CheckMK agent.

SSL Certificate Service

Disable RSC (Receive Segment Coalescing)