[Xymon] xymon checking wrong SSL cert on CNAME

betsys at well.com betsys at well.com
Thu Jun 13 18:08:04 CEST 2024 

The ‘SNI’ tag was the fix , 

Thank you all!

 

From: Fabian Wendlandt <fabian.wendlandt at innowerk-it.de> 
Sent: Thursday, June 13, 2024 3:20 AM
To: betsys at well.com; xymon at xymon.com
Subject: AW: [Xymon] xymon checking wrong SSL cert on CNAME

 

Hi,

 

xymon http checks do not use SNI (server name indication) by default.

Your webserver will therefore return the certificate configured as the
default certificate when no SNI is sent.

 

To use SNI, just add a “sni” tag to the host:

x.x.x.x  www.example.com <http://www.example.com>  # noconn
httpstatus;http://www.example.com/;301; https://www.example.com sni

 

BR

Fabian

 

Von: Xymon < <mailto:xymon-bounces at xymon.com> xymon-bounces at xymon.com> Im
Auftrag von  <mailto:betsys at well.com> betsys at well.com
Gesendet: Donnerstag, 13. Juni 2024 06:40
An:  <mailto:xymon at xymon.com> xymon at xymon.com
Betreff: [Xymon] xymon checking wrong SSL cert on CNAME

 

Hi, 

We have a website at a third-party  hosting company, where our site
https://www.example.com <http://www.example.com>   is a cname for
something.hosting.com  (not the real name)

We have a LetsEncrypt cert issued for www.example.com
<http://www.example.com> .

 

The cert wasn’t updating, but xymon did not alert , because xymon is
apparently evaluating the CNAME and then checking the cert for hosting.com
(which has a wildcard cert *.hosting.com)

 

How do we make xymon check the cert for www.example.com
<http://www.example.com>  , other than writing our own script? I think this
is a fairly common setup for hosted websites

(for a minute I thought about adding an A record but that would be wrong on
multiple levels) 

 

/home/xymon/server/etc/hosts.cfg has 

x.x.x.x  www.example.com <http://www.example.com>  # noconn
httpstatus;http://www.example.com/;301; https://www.example.com

 

(where x.x.x.x is the actual IP)

 

Running xymon 4.3.30 on Alma 8

 

Thanks very much! 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.xymon.com/pipermail/xymon/attachments/20240613/744750fc/attachment.htm>

More information about the Xymon mailing list