R

AskF5 Home / K15288

Original Publication Date: Aug 10, 2015

Updated Date: Oct 04, 2020

You should consider using this procedure under the following condition:

You want to trigger an automatic notification email when an SSL certificate is within 30 days of expiration
or has already expired.

You can configure a BIG-IP system to monitor SSL certificate expiration status and send an email when
expiration is within 30 days. The check-cert utility performs this check weekly, which examines the expiration
date of each locally created or imported SSL certificate.

For more information about check-cert, refer to K14318: Monitoring SSL certificate expiration on the BIG-IP
system (11.x - 13.x).

For more information about when the utility runs, refer to K70264550: The BIG-IP system uses anacron to
manage scheduled jobs for daily, weekly, and monthly tasks.

To configure this feature, complete all of the following procedures in order:

Configuring the BIG-IP system to use a DNS lookup server

Configuring the BIG-IP system to use an SMTP server (11.5.0 and later)
Configuring the BIG-IP system to use an SMTP server (11.0.0 - 11.4.1)
Configuring custom alert definitions
Testing the email notification feature

You must meet the following prerequisites to use this procedure:

 You have command-line access to the BIG-IP system as the root user.
You can access an SMTP server to accept an incoming email from the BIG-IP system.
You can access a DNS server to resolve the IP address of your SMTP server.

The following procedure configures the BIG-IP system to resolve hosts from a DNS server.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Note: If you want to use a fixed IP address instead of a resolved host name for your SMTP server, you may
skip this procedure.

1. Log in to the TMOS Shell (tmsh) by typing the following command:

tmsh

2. To configure the BIG-IP system to use a DNS name server, use the following command syntax:
modify sys dns name-servers add { <ip_address1> <ip_address2>}

For example, to configure the BIG-IP system to use DNS name server 192.168.10.100, use the following
command:

modify sys dns name-servers add { 192.168.10.100 }

3. To save the configuration, type the following command:

save sys config

The following procedure configures the BIG-IP system mail client to connect to an external SMTP server.

Note: Due to a known issue, the BIG-IP system does not automatically configure a domain name in the email
From: line. For more information about and how to work around the issue, refer to K15188934: Emails
generated by the BIG-IP system may fail after upgrading to 13.0.0.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to tmsh by typing the following command:

tmsh

2. To configure the mail client to connect to an external SMTP server, use the following command syntax:
modify sys outbound-smtp mailhub <mail_server>:<port>

For example, to configure the system to send email messages to host mail.mydomain.com using port
587, you would type the following command:

modify sys outbound-smtp mailhub mail.mydomain.com:587

3. To save the configuration, type the following command:

save sys config

The following procedure configures the BIG-IP system mail client to connect to an external SMTP server.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP command line as the root user.

2. To use a text editor to edit the /etc/ssmtp/ssmtp.conf file and modify the mailhub= option to point to
your SMTP server, use the following command syntax:
mailhub=<smtphost>.<domain>

For example:

mailhub=smtp.mydomain.com

Alternatively, you may enter a fixed IP address instead of a host name.

For example:

mailhub=192.168.1.1

3. Save the changes.

4. From the BIG-IP command line, test the email configuration by using the following command syntax:
echo "ssmtp test mail" | mail -vs "Test email for SOL15288" [email protected]

If the message is sent successfully, the user '[email protected]' should receive a test email
message.

Note: If you want the ssmtp.conf configuration change to persist beyond a BIG-IP upgrade, refer to
K4422: Viewing and modifying the files that are configured for inclusion in a UCS archive.

The following procedure configures the custom alerts necessary to trigger a custom SNMP trap and an email
alert for certificates which will expire within 30 days, and certificates which have already expired.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to the BIG-IP command line as the root user.

2. Use a text editor to edit the /config/user_alert.conf file, then copy and paste the following two entries
into the file; replacing [email protected] with your preferred email address, and replacing <BIG-IP>
with the name of the BIG-IP system:
Note: The following alert definitions specify a custom SNMP object ID ending in .300 and .301. Each
custom alert definition should use a unique object ID. If you already have a custom alert definition that
uses the .300 or .301 object IDs you should use the next available unique object ID.

Note: The following alert definitions rely on certificate expiration messages logged to the /var/log/ltm
file. If syslog-ng is not running, or the certificate expiration messages are not logged to the /var/log/ltm
file, an SMTP email message will not be generated and delivered.

alert CERTIFICATE_EXPIRED "Certificate (.*) expired" {

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.300";
email toaddress="[email protected]"
body="Certificate Expired on <BIG-IP>"
}

alert CERTIFICATE_WILL_EXPIRE "Certificate (.*) will expire" {

snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.301";
email toaddress="[email protected]"
 body="Certificate will Expire on <BIG-IP>"
}

Using the default alert name:

alert BIGIP_TMSH_TMSH_CERT_EXPIRED {
email toaddress="[email protected]"
body="Certificate Expired on <BIG-IP>"
}

alert BIGIP_TMSH_TMSH_CERT_WILL_EXPIRE {
email toaddress="[email protected]"
body="Certificate will Expire on <BIG-IP>"
}

3. Save the changes.

Testing the email notification feature

The following procedure tests the certificate email notification feature.

Impact of procedure: Performing the following procedure should not have a negative impact on your system.

1. Log in to tmsh by typing the following command:

tmsh

2. To create a test certificate which expires in 10 days, type the following command:
create sys crypto key SOL15288testcert gen-certificate lifetime 10 common-name
SOL15288testcert.com

3. To run the check-cert command, type the following command:

run sys crypto check-cert

4. An email message should be sent to the user specified in the /config/user_alert.conf file and a
message similar to the following appears in the /var/log/ltm file:
01420008:4: Certificate 'CN=SOL15288testcert.com,C=US' in file /Common
/SOL15288testcert.crt will expire on <date>

5. When tests are confirmed, you may delete your 10-day test certificate and key by typing the following
commands from within tmsh:
delete /sys crypto key SOL15288testcert
delete /sys crypto cert SOL15288testcert

K13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x - 13.x)
K3727: Configuring custom SNMP traps
K3667: Configuring alerts to send email notifications

Applies to:

Product: BIG-IP, BIG-IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP DNS, BIG-IP
GTM, BIG-IP Link Controller, BIG-IP LTM, BIG-IP PEM
15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.X.X

Product: Legacy Products, Enterprise Manager, BIG-IP WebAccelerator, BIG-IP WOM, BIG-IP PSM, BIG-IP
Edge Gateway
15.X.X, 14.X.X, 13.X.X, 12.X.X, 11.X.X, 3.X.X