[Xymon] SSL/TLS cert monitoring
Jeremy Laidman
jeremy at laidman.org
Wed Aug 30 05:32:25 CEST 2023
Ralph's approach is probably the best.
Note to others who have kindly provided suggestions in this thread: the key
requirement is to check a certificate *file* (eg mycert.cer), not a
certificate used by a website or any networked service. There's no SSL/TLS
involved here, so the https test won't work. Certs are used for more than
just websites. An example of this might be a certificate file that's used
to sign a logfile after rotation, so that the log's veracity can be
verified later, for forensics. The https test is not suitable to check a
file, only a website or other SSL/TLS endpoint.
An alternative to Ralph's idea that might work, and requires no scripting,
might be to configure the webserver used by Xymon so that the certificate
files are somehow exposed and used in a TLS interaction, and thus become
testable by the Xymonnet https test. I imagine each cert file would need to
be configured in a snippet of the Apache (if that's the webserver) config
file, so that each cert is used to protect a subset of the website. A bit
messy, and probably a challenge to maintain, but it could probably be done
without scripting. Similarly, you could run an instance of stunnel for each
cert file, each on a different port (if multiple files exist on a host).
If it were me, I'd use Ralph's idea in a script, and simulate the message
that xymonnet would send for a cert used for a website.
On Tue, 29 Aug 2023 at 12:19, Ralph M <ralphmitchell at gmail.com> wrote:
> I've done this before, but I don't think I still have the script. If you
> want to mimic the sslcert column for some random SSL certificate file and
> send it to Xymon, this:
>
> openssl x509 -noout -in my_server.crt -subject -startdate -enddate -issuer
> -dateopt iso_8601 | \
> sed -e 's/notBefore=/start date: /' -e 's/notAfter=/expire date:/'
>
> gets you a block that looks something like the sslcert column:
>
> subject=CN = My Server Cert
> start date: 2021-01-05 03:57:33Z
> expire date:2025-01-05 03:57:33Z
> issuer=CN = Some Random CA
>
> You can do some date math on the expiry date to determine when it expires,
> and then construct a message to send to Xymon.
>
> I'll poke around and see if I can dig up my script.
>
> Ralph Mitchell
>
>
>
> On Mon, Aug 28, 2023 at 6:47 PM Vernon Everett <everett.vernon at gmail.com>
> wrote:
>
>> Hi all
>>
>> Haven't been using Xymon for many years, but I now have a small client
>> looking for a lightweight and cost-effective (free) monitoring solution,
>> and Zymon fitted the bill.
>>
>> Most of the config and setup is coming back to me, but I'm a little stuck
>> on certs.
>> Some certs I can point Xymon directly to the URL, and I get the response
>> I want.
>> Others are (multiple) certs on my Xymon client server, not related to a
>> URL, but used by applications.
>> I cannot remember how we configure those to check for expiration.
>>
>> Any tips appreciated.
>>
>> Regards
>> Vernon
>>
>> --
>>
>> "Accept the challenges so that you can feel the exhilaration of victory"
>> - General George Patton
>>
>> "Don't find fault. Find a remedy"
>> - Henry Ford
>> _______________________________________________
>> Xymon mailing list
>> Xymon at xymon.com
>> http://lists.xymon.com/mailman/listinfo/xymon
>>
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20230830/686bee78/attachment.htm>
More information about the Xymon
mailing list