[Xymon] xymon checking wrong SSL cert on CNAME
Fabian Wendlandt
fabian.wendlandt at innowerk-it.de
Thu Jun 13 09:19:42 CEST 2024
Hi,
xymon http checks do not use SNI (server name indication) by default.
Your webserver will therefore return the certificate configured as the default certificate when no SNI is sent.
To use SNI, just add a "sni" tag to the host:
x.x.x.x www.example.com<http://www.example.com> # noconn httpstatus;http://www.example.com/;301; https://www.example.com sni
BR
Fabian
Von: Xymon <xymon-bounces at xymon.com> Im Auftrag von betsys at well.com
Gesendet: Donnerstag, 13. Juni 2024 06:40
An: xymon at xymon.com
Betreff: [Xymon] xymon checking wrong SSL cert on CNAME
Hi,
We have a website at a third-party hosting company, where our site https://www.example.com<http://www.example.com> is a cname for something.hosting.com (not the real name)
We have a LetsEncrypt cert issued for www.example.com<http://www.example.com>.
The cert wasn't updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
How do we make xymon check the cert for www.example.com<http://www.example.com> , other than writing our own script? I think this is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com<http://www.example.com> # noconn httpstatus;http://www.example.com/;301; https://www.example.com
(where x.x.x.x is the actual IP)
Running xymon 4.3.30 on Alma 8
Thanks very much!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240613/0417389d/attachment.htm>
More information about the Xymon
mailing list