[Xymon] Subject: Re: SSL OCSP monitoring

Steff Watkins s.watkins at nhm.ac.uk
Wed Apr 16 11:40:02 CEST 2014 

> Hi,
>
> Can we monitor SSL certificate's revoke status ?
>
> Thanks,
> Deepak

Hello Deepak,

 Not sure if this is what you're after but I've found a way of getting Xymon to give yellow alerts when the SSL certificate on a webserver has 30 days (or less) until expiry, and red alerts on 14 days (or less).

The first part is to give a secure URL in the comment section of the host definition in the hosts.cfg file, such as:

   192.168.12.12    www  # conn ssh http://www. yabadabadoo.blah.uk/ https://yabadabadoo.blah.uk/

This tells Xymon to check the secure HTTP instance on, in this case, www.yabadabadoo.blah.uk . So it picks up the SSL certificate and reports on its presence. This should create an "sslcert" column on your Xymon display. You can view the retrieved certificate in that column.

However the next step is needed if you wanted alerts raised when an SSL certificate is getting near expiry date.

In the tasks.cfg file you need to setup a clause to force the system to raise a warning if the SSL certificate gets near expiry date. I have done this by adding the "sslwarn" and "sslalarm" options to the definition for xymonnet. 

The actual definition I am using is shown below:

-----
[xymonnet]
        ENVFILE /usr/local/hobbit/server/etc/xymonserver.cfg
        NEEDS xymond
        CMD xymonnet --no-ares --report --ping --checkresponse --sslwarn=30 --sslalarm=14 '--dnslog=/var/log/xymon/dns.log' '--concurrency=5' '--debug' '--dump=both'
        LOGFILE $XYMONSERVERLOGS/xymonnet.log
        INTERVAL 5m
 -----

As you can see I have '-sslwarn=30' which causes the sslcert column for a host to go yellow when the SSL certificate for that host has 30 days or less until expiry. The '--sslalarm=14' raises the alert level to red when there is 14 days or less until the SSL certificate's expiry date.

I have this running in  a live environment at the moment and can confirm that it does work. I'm fairly sure that you should be able to use this sort of setup for testing the revocation dates of SSL certificates for other protocols, such as secure smtp.

Hope this helps.

Regards,
Steff Watkins
-----
Steff Watkins                           Natural History Museum, Cromwell Road, London,SW75BD 
Systems programmer                      Email: s.watkins at nhm.ac.uk 
Systems Team                            Phone: +44 (0)20 7942 6000 opt 2
========
"Many were increasingly of the opinion that they'd all made a big mistake in coming down from the trees in the first place. And some said that even the trees had been a bad move, and that no one should ever have left the oceans." - HHGTTG

More information about the Xymon mailing list