[Xymon] SSL/TLS cert monitoring

Ralph M ralphmitchell at gmail.com
Wed Aug 30 08:22:59 CEST 2023 

Vernon,

See the attached script to monitor https sites via a proxy.  You'd need to
add the proxy to the Xymon server environment config, something like:

   "PROXY=proxy.mydomain.com:8080"

or whatever is appropriate for curl at your site.  Add an entry in
tasks.cfg to kick the thing off:

     chkhttps.sh server.domain.com https://server.domain.com/start.htm\

It throws the site headers to the http column for server.domain.com and
fakes the matching sslcert column.

It'll probably work, but your mileage may vary.  I'm not sure if my site is
still using it, but it looks like it hasn't required maintenance since
about 2012, so either it's really solid or the need for it went away.

You could co-opt the second part to fake the sslcert column where you have
a cert file and no server.  It uses the verbose output from curl to access
the certificate start/end dates and other info, so you'll need to alter
that a bit to make it work with the "openssl x509" output I
mentioned previously,

Ralph Mitchell



On Wed, Aug 30, 2023 at 1:35 AM Jeremy Laidman <jeremy at laidman.org> wrote:

> On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com>
> wrote:
>
>> Hi all
>>
>> Appreciate the responses, but I have more than 1 problem I am trying to
>> solve.
>> 1. I need to monitor the certs on a few web sites. That's pretty easy,
>> and works out of the box.
>> 2. I need to monitor the certs on a few web sites that are only reachable
>> through the proxy. Not sure how to do that.
>>
>
> Alas, not out of the box. The man page for hosts.cfg says, "Note that it
> is not possible to test https-sites via a proxy".
>
>
>> 3. I have a few certs local to my client that I need to keep an eye on
>> too. But these are used by applications, and are not related to a web page,
>> so effectively I need to to keep tabs on /foo/bar/cert
>>
>> Was looking for some guidance on 2.
>> And a magic bullet for 3. :-D
>>
>> I could code something up to do item 3, but I was really hoping there
>> would already be something that somebody could share.
>> I used to code Xymon tests for breakfast back when The Dead Sea was only
>> Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
>>
>
> LoL
>
>
>> But I am a bit rusty these days, and thought I'd lean on the community a
>> little.
>>
>> If I can't, I guess it's back to coding again. :-)
>>
>
> If you script something to solve problem 3, you probably get 95% of the
> way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy,
> so Ralph's idea won't work. However, the same can be achieved using curl or
> wget, with some kind of increase in verbosity to show TLS attributes. Also,
> curl can return special variables like "ssl_verify_result" if you could use
> that (a separate thing to certificate expiry), and useful return codes (60
> = "Peer certificate cannot be authenticated with known CA certificates").
>
> $ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?";
> } | sed -n '/^CURL RC=/p;/^. Server
> certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
> subject: CN=xymon.com
> start date: Aug 16 13:20:13 2023 GMT
> expire date: Nov 14 13:20:12 2023 GMT
> common name: xymon.com
> issuer: CN=R3,O=Let's Encrypt,C=US
> CURL RC=0
>
> $ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL
> RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server
> certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
> subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control
> Validated
> start date: Apr 09 00:00:00 2015 GMT
> expire date: Apr 12 23:59:59 2015 GMT
> common name: *.badssl.com
> issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
> CURL RC=60
>
> Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to
> work through a proxy, but I could have used --proxy.
>
> The expire date can be parsed into epoch seconds, compared with today's
> epoch seconds value, and then checked for expired, or expiring soon:
>
> $ EXP=`curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n
> '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP"
> ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt
> $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E;
> let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will
> expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires
> on $EXP)"; } } || echo "Failed to get certificate"
> Certificate expired on Apr 12 23:59:59 2015 GMT
>
> $ EXP=`curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^.
> Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
> { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
> && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
> DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
> in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
> $EXP)"; } } || echo "Failed to get certificate"
> Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT
>
> $ EXP=`curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^.
> Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
> { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
> && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
> DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
> in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
> $EXP)"; } } || echo "Failed to get certificate"
> Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)
>
> J
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20230830/db6558fa/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chkhttps.sh
Type: application/x-shellscript
Size: 3274 bytes
Desc: not available
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20230830/db6558fa/attachment.bin>

More information about the Xymon mailing list