[Xymon] SSL/TLS cert monitoring
Stephane Bakhos
nuitari at nuitari.net
Wed Aug 30 15:30:20 CEST 2023
On Wed, 30 Aug 2023, Jeremy Laidman wrote:
> Date: Wed, 30 Aug 2023 15:33:40 +1000
> From: Jeremy Laidman <jeremy at laidman.org>
> To: Vernon Everett <everett.vernon at gmail.com>
> Cc: Xymon mailinglist <xymon at xymon.com>
> Subject: Re: [Xymon] SSL/TLS cert monitoring
>
> On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com>
> wrote:
>
>> Hi all
>>
>> Appreciate the responses, but I have more than 1 problem I am trying to
>> solve.
>> 1. I need to monitor the certs on a few web sites. That's pretty easy, and
>> works out of the box.
>> 2. I need to monitor the certs on a few web sites that are only reachable
>> through the proxy. Not sure how to do that.
>>
>
> Alas, not out of the box. The man page for hosts.cfg says, "Note that it is
> not possible to test https-sites via a proxy".
>
>
>> 3. I have a few certs local to my client that I need to keep an eye on
>> too. But these are used by applications, and are not related to a web page,
>> so effectively I need to to keep tabs on /foo/bar/cert
>>
>> Was looking for some guidance on 2.
>> And a magic bullet for 3. :-D
>>
>> I could code something up to do item 3, but I was really hoping there
>> would already be something that somebody could share.
>> I used to code Xymon tests for breakfast back when The Dead Sea was only
>> Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
>>
>
> LoL
>
>
>> But I am a bit rusty these days, and thought I'd lean on the community a
>> little.
>>
>> If I can't, I guess it's back to coding again. :-)
>>
>
> If you script something to solve problem 3, you probably get 95% of the way
> to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so
> Ralph's idea won't work. However, the same can be achieved using curl or
> wget, with some kind of increase in verbosity to show TLS attributes. Also,
> curl can return special variables like "ssl_verify_result" if you could use
> that (a separate thing to certificate expiry), and useful return codes (60
> = "Peer certificate cannot be authenticated with known CA certificates").
>
> $ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; }
> | sed -n '/^CURL RC=/p;/^. Server
> certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
> subject: CN=xymon.com
> start date: Aug 16 13:20:13 2023 GMT
> expire date: Nov 14 13:20:12 2023 GMT
> common name: xymon.com
> issuer: CN=R3,O=Let's Encrypt,C=US
> CURL RC=0
>
> $ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL
> RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server
> certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
> subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated
> start date: Apr 09 00:00:00 2015 GMT
> expire date: Apr 12 23:59:59 2015 GMT
> common name: *.badssl.com
> issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
> Limited,L=Salford,ST=Greater Manchester,C=GB
> CURL RC=60
>
> Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to
> work through a proxy, but I could have used --proxy.
>
> The expire date can be parsed into epoch seconds, compared with today's
> epoch seconds value, and then checked for expired, or expiring soon:
>
> $ EXP=`curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^.
> Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
> { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
> && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
> DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
> in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
> $EXP)"; } } || echo "Failed to get certificate"
> Certificate expired on Apr 12 23:59:59 2015 GMT
>
> $ EXP=`curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^.
> Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
> { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
> && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
> DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
> in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
> $EXP)"; } } || echo "Failed to get certificate"
> Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT
>
> $ EXP=`curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^.
> Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
> { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
> && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
> DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
> in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
> $EXP)"; } } || echo "Failed to get certificate"
> Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)
>
> J
>
Another solution would be to run a xymonnet instance on the proxy server
and report it back to the main xymond server. NET: in hosts.cfg can be
used in this case.
More information about the Xymon
mailing list