[Xymon] xymon checking wrong SSL cert on CNAME

Henrik Størner henrik at hswn.dk
Thu Jun 13 09:18:51 CEST 2024 

Does it make a difference if you add ‘sni’ (server name indication) to the hosts.cfg entry? I am not sure if that is the default setting. 

Regards
Henrik 

> Den 13. jun. 2024 kl. 09.12 skrev Roland Rosenfeld <roland at spinnaker.de>:
> 
> On Thu, 13 Jun 2024, betsys at well.com wrote:
> 
>> We have a website at a third-party  hosting company, where our site
>> https://www.example.com <http://www.example.com>   is a cname for
>> something.hosting.com  (not the real name)
>> 
>> We have a LetsEncrypt cert issued for www.example.com
>> <http://www.example.com> .
> 
>> The cert wasn't updating, but xymon did not alert , because xymon is
>> apparently evaluating the CNAME and then checking the cert for hosting.com
>> (which has a wildcard cert *.hosting.com)
> 
> I cannot believe this.  We also have CNAMEs pointing to hosts and the
> cert check works as expected.  Did you check the "sslcert" column?
> 
> In this column I see a list of all https checks for this host listing
> the request URL (without the IP-pinning, if you did so) with the
> certificate subject, issuer and validity start/expire.
> 
>> How do we make xymon check the cert for www.example.com, other than
>> writing our own script? I think this is a fairly common setup for
>> hosted websites
>> 
>> (for a minute I thought about adding an A record but that would be wrong on
>> multiple levels)
> 
>> /home/xymon/server/etc/hosts.cfg has
>> 
>> x.x.x.x  www.example.com # noconn httpstatus;http://www.example.com/;301;
>> https://www.example.com
> 
> That's nearly what I'm doing.  The x.x.x.x is irrelevant since you use
> noconn.  The https://www.example.com checks this URL and the sslcert
> column should show the cert of this URL.
> 
> Here's an example I use (a little obfuscated):
> 
> 1.2.3.4  foobar # noconn httpstatus;http://foobar.example.com;301 \
>         httpstatus;http://foobar.example.net;301 \
>         https://foobar.example.com=1.2.3.4/login \
>         https://foobar.example.net=1.2.3.4/login \
>         https://foobar.example.com=1.2.3.10/login \
>         https://foobar.example.net=1.2.3.10/login
> 
> foobar.example.com and foobar.example.net are both CNAMES to the same
> double-A-Record pointing to 1.2.3.4 and 1.2.3.10.
> 
> In the sslcert column I see:
> 
> SL certificate for https://foobar.example.net/login expires in 323 days
> 
> Server certificate:
>    subject:/CN=foobar.example.net
>    start date: 2024-04-03 00:00:00 GMT
>    expire date:2025-05-02 23:59:59 GMT
>    key size:2048
>    issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
>    signature algorithm: sha256WithRSAEncryption
> 
> green SSL certificate for https://foobar.example.com/login expires in 176 days
> 
> Server certificate:
>    subject:/CN=foobar.example.com
>    start date: 2023-11-06 00:00:00 GMT
>    expire date:2024-12-06 23:59:59 GMT
>    key size:2048
>    issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
>    signature algorithm: sha256WithRSAEncryption
> 
> green SSL certificate for https://foobar.example.net/login expires in 323 days
> 
> Server certificate:
>    subject:/CN=foobar.example.net
>    start date: 2024-04-03 00:00:00 GMT
>    expire date:2025-05-02 23:59:59 GMT
>    key size:2048
>    issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
>    signature algorithm: sha256WithRSAEncryption
> 
> green SSL certificate for https://foobar.example.com/login expires in 176 days
> 
> Server certificate:
>    subject:/CN=foobar.example.com
>    start date: 2023-11-06 00:00:00 GMT
>    expire date:2024-12-06 23:59:59 GMT
>    key size:2048
>    issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
>    signature algorithm: sha256WithRSAEncryption
> 
> (as you can see, the certificates of foobar.example.com and
> foobar.example.net have different certificates with different
> lifetimes).
> 
> They are duplicated, because this is checked for both IPs (so I see,
> if only one of the two cluster nodes gets a new cert).
> 
> Greetings
> Roland
> _______________________________________________
> Xymon mailing list
> Xymon at xymon.com
> http://lists.xymon.com/mailman/listinfo/xymon

More information about the Xymon mailing list