[Xymon] SSL/TLS cert monitoring
Jeremy Laidman
jeremy at laidman.org
Wed Aug 30 07:33:40 CEST 2023
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com>
wrote:
> Hi all
>
> Appreciate the responses, but I have more than 1 problem I am trying to
> solve.
> 1. I need to monitor the certs on a few web sites. That's pretty easy, and
> works out of the box.
> 2. I need to monitor the certs on a few web sites that are only reachable
> through the proxy. Not sure how to do that.
>
Alas, not out of the box. The man page for hosts.cfg says, "Note that it is
not possible to test https-sites via a proxy".
> 3. I have a few certs local to my client that I need to keep an eye on
> too. But these are used by applications, and are not related to a web page,
> so effectively I need to to keep tabs on /foo/bar/cert
>
> Was looking for some guidance on 2.
> And a magic bullet for 3. :-D
>
> I could code something up to do item 3, but I was really hoping there
> would already be something that somebody could share.
> I used to code Xymon tests for breakfast back when The Dead Sea was only
> Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
>
LoL
> But I am a bit rusty these days, and thought I'd lean on the community a
> little.
>
> If I can't, I guess it's back to coding again. :-)
>
If you script something to solve problem 3, you probably get 95% of the way
to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so
Ralph's idea won't work. However, the same can be achieved using curl or
wget, with some kind of increase in verbosity to show TLS attributes. Also,
curl can return special variables like "ssl_verify_result" if you could use
that (a separate thing to certificate expiry), and useful return codes (60
= "Peer certificate cannot be authenticated with known CA certificates").
$ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; }
| sed -n '/^CURL RC=/p;/^. Server
certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
subject: CN=xymon.com
start date: Aug 16 13:20:13 2023 GMT
expire date: Nov 14 13:20:12 2023 GMT
common name: xymon.com
issuer: CN=R3,O=Let's Encrypt,C=US
CURL RC=0
$ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL
RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server
certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated
start date: Apr 09 00:00:00 2015 GMT
expire date: Apr 12 23:59:59 2015 GMT
common name: *.badssl.com
issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
CURL RC=60
Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to
work through a proxy, but I could have used --proxy.
The expire date can be parsed into epoch seconds, compared with today's
epoch seconds value, and then checked for expired, or expiring soon:
$ EXP=`curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^.
Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
{ SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate expired on Apr 12 23:59:59 2015 GMT
$ EXP=`curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^.
Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
{ SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT
$ EXP=`curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^.
Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
{ SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)
J
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20230830/a594c416/attachment.htm>
More information about the Xymon
mailing list