VMwarevRealize

Monitoring SSL Certificate Expiry With vRealize Operations

vROps is my go-to tool for monitoring all things on-premises and cloud. With native support for vSphere, AWS, Azure and GCP the solution had developed into a true multi-cloud operations and monitoring tool.

vRealize Operations is one of the fastest developed tools by VMware with releases every few months to keep up with the challenges around cloud management.

One powerful feature that’s available in all current versions is the ability to use scripts to import data into vROps, this means that if a particular solution isn’t supported in vROps, with a quick script you can add the functionality yourself.

We all know the pain of SSL certificate expiry and tracking these can often mean relying on a calendar or spreadsheet. If this is the case for you, read on!

Installing the Agent

An agent needs to only be installed on one server which has access to the servers which you need to want to monitor the SSL certificates on.

I am going to be checking SSL certificates of servers on the internet and a few internal ones on the same network, and I have a server in mind which has access to both

  • Before we can get this working, we need to install the agent. Previously this was the EP OPS agent, but the latest release (8.1 and possibly earlier releases) support the Telegraf agent for remote scripting which can be installed, uninstalled and upgraded directly from vROps.
  • Follow my previous guide to get the Application Remote Collector deployed and the Telegraf agent installed on your Windows monitoring server: https://virtualg.uk/vrops-7-5-setting-up-the-new-telegraf-application-monitoring-feature/
  • Once the Telegraf agent is installed (End of stage 6), continue below

Deploying the SSL check script

We want to write a script that accepts a parameter (the server to check the SSL expiry of) and returns a single result (the number of days until the certificate expires)

I have written a sample script below in PowerShell, but you may want to modify it for your own requirements.

add-type @”
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
“@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3, [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12

$Website = $args[0]

try {
$WebRequest = [Net.HttpwebRequest]::Create($Website)
$WebRequest.Timeout = 5000
$WebRequest.GetResponse() | Out-Null
$SSLCertificateExpirationDateString = $webRequest.ServicePoint.Certificate.GetExpirationDateString()
$SSLCertificateDateTime = [Datetime]::ParseExact($SSLCertificateExpirationDateString, ‘dd/MM/yyyy HH:mm:ss’, $null)
$SSLCertificateDaysRemaining = ($SSLCertificateDateTime – $(Get-Date)).Days
Write-Host $SSLCertificateDaysRemaining
}

catch {
Write-Host “ERROR|$error”
}

  • Copy the script to the monitoring server, for example: C:\Scripts\vrops-ssl-check.ps1
  • Test that it runs correctly

You can see that the SSL certificate of this blog, https://virtualg.uk expires in 194 days.

Configuring vRealize Operations

  • Login to vROps and navigate to Administration > Inventory > Manage Agents
  • Highlight the agent which has the script installed
  • Use the drop-down icon to select the custom script option:

Enable the instance and enter the required information:

  • Remember to save once complete.
  • Also, note that you can create multiple custom instances here. You can use the same script but change the args to reflect other servers which you need to check.
  • You can monitor the custom script status in the Manage Agents tab by selecting the monitoring VM and clicking Custom Script

Locating the data in vROps

Now that the script is executing, we need to see where the data is in vROps

  • Navigate to Environment > All Objects
  • VMware vRealize Application Management > Custom Script > Custom Script
  • On the right panel, expand All Metrics > Scripts
  • Your script will show as a metric which you can open and see the historic reporting data
  • If you have configured multiple scripts, they will all show here as separate items

  • As time passes, the number of days until expiry will decrease and the plotted lines on the chart will reflect this.

Creating a vROps Alert

As we can now see the data in vROps, let’s make an alert to trigger should the number of days fall below 30. This will give us plenty of time to act and replace the SSL certificates.

Alerts are created in 2 steps. First, we need a Symptom, then a corresponding alert for that symptom.

Creating a custom vROps Symptom Definition

  • Within vROps, navigate to Alerts > Configuration  Symptom Definitions
  • Ensure you are on the Metric / Property tab and select Add
  • On the right panel, enter Custom Script as the Base Object Type
  • Enter Metrics as and Symptom Type
  • When selecting the object, expand Scripts and double click the script to create the symptom for
  • You’ll see the custom script object on the left pane
  • Modify the settings as needed:

You can create a symptom for each trigger type, for example Warning & Critical at different levels

You can also create a Symptom Definition for each SSL certificate you are checking (provided you created the custom script object for each one earlier)

  • Save the Symptom Definition

Creating a custom vROps Alert Definition

  • With the Symptom Definition created, navigate to Alerts > Configuration > Alert Definitions > Add
  • Enter the Alert Name, Description and Base Object Type:

  • Next
  • For the Symptoms, use the search on the far right, search for the custom script name, for example: SSL
  • Drag each symptom into the left pane as required
  • The alert can have more than one symptom. If you add more than one, ensure you use the correct logic at the top of the page. You will likely want the alert to trigger if ANY of the symptoms are triggered, rather than all.

  • Select the Create button to build the alert

Next Steps

From here you can use all the built-in tools such as scheduled Reports, Views and Dashboards to manage and alert on the SSL Certificate expiry dates.

I have created a simple dashboard and uploaded over at the VMware Sample Exchange, this is nothing special but might save you a few minutes. (If you have any cool ideas for the dashboard, let me know and I’ll update the one on the Sample Exchange)

Configuring the SSL Certificate Expiry Dashboard

Once you have downloaded the dashboard from Solutions Exchange:

  • Open the Dashboard
  • Actions > Edit
  • Select the SSL Certificates (Days Remaining) Widget and Edit
  • Under Input Data, add all the SSL checks you wish to place on the dashboard:

  • Don’t forget to save the dashboard after making changes

Bonus: When adding metrics to the dashboard, you can create a link to the website you are monitoring:

Once you have done this, go back to the dashboard and click the number of days remaining for the website and it will redirect you to the website in your browser to take a look at the certificate.

 

That’s all for this post. I hope this makes managing SSL certificates a little easier and opens up the power of remote scripting checks from vRealize Operations!

4 Comments

  1. Hi Graham,

    This posting is very nice!
    But, Is this script correct?

    I just can see a error as below :
    ================================================================================
    PS C:\> .\vrops-ssl-check.ps1 https://www.vmware.com
    ERROR|Exception calling “ParseExact” with “3” argument(s): “String was not recognized as a valid DateTime.”
    ================================================================================
    What should I do that?

    1. Hi Jack,

      What version of PowerShell are you running?

      I have updated the script above to better deal with invalid SSL certs. Please try this too.

      Graham

  2. Jack/Graham,

    that probably has something to do with the date formatting.
    The vmware.com website in the example uses Tuesday, 24 August 2021 as a date format.
    The computer used to run the Powershell script uses a different formatting so when you do the ‘math’:
    $SSLCertificateDaysRemaining = ($SSLCertificateDateTime – $(Get-Date)).Days

    The numbers don’t add up 🙂

Leave a Response