[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [xymon] sslcert

To: xymon (at) xymon.com
Subject: Re: [xymon] sslcert
From: Henrik "StÃ¸rner" <henrik (at) hswn.dk>
Date: Thu, 20 Jan 2011 22:06:42 +0000 (UTC)
Newsgroups: lists.hobbit
Organization: Linux Users Inc.
References: <1295462714.2946.8.camel (at) Nokia-N900> <2685F464D7BC7C4DA88845C97AEB5F533A9AEA37B1 (at) qtomaexmbm22.AD.QINTRA.COM> <2685F464D7BC7C4DA88845C97AEB5F533A9AEA37B1 (at) qtomaexmbm22.AD.QINTRA.COM> <4D374E08.8030908 (at) makelofine.org>
User-agent: nn/6.7.3

In <4D374E08.8030908 (at) makelofine.org> dOCtoR MADneSs <doctor (at) makelofine.org> writes:

>> My xymon server has a strange behaviour.I have a host called tata running SSLed services. 
>> The tests are all OK. But when I go to sslcert test page, I see the information from another 
>> host (called toto). Their SSL certificates are differents, and all my other hosts have their 
>> own SSL informations.

>Here is the hosts.cfg content :

I've reformatted it slightly ...

>127.0.0.1   toto    # bbd ftp \
	https://wikileaks.makelofine.org \
	https://mailadmin.makelofine.org \
	https://www.makelofine.org \
	https://test.makelofine.org \
	imaps smtps pop3s \
	http://wikileaks.makelofine.org \
	http://www.raclo.fr \
	http://www.pleinphares.fr \
	http://www.xenon-tuning.fr \
	http://www.hoodmark.fr \
	http://www.chasseresse.com \
	http://www.skapiso.com \
	http://www.galey-ariege.fr \
	http://photos.makelofine.org \
	http://www.warcho.net \
	apache=http://localhost/server-status?auto \
	dns=galey-ariege.fr,skapiso.com,loozah.com,manurevah.com,loloack.com,makelofine.org \
	smtp ssh imap pop3 apt \
	libs bind postfix mysql hardware ntpq
	TRENDS:*,!la,vmstat:vmstat1|vmstat2|vmstat3|vmstat4|vmstat5,apache:apache|apache1|apache2|apache3,mysql:mysql|mysqlslow|mysqlqueries|mysqltables|mysqlopens|mysqlflush|mysqlquestions,hardware:hardware|fans|voltages,mailgraph:mailgraph-rejected|mailgraph-local|mailgraph-amavis|mailgraph-spamd|mailgraph-postgrey|mailgraph-postgrey-passed|mailgraph-loglines|mailgraph-runtime

OK, so you have (at least) 7 SSL-enabled services running on one host.
The effect of that is rather unpredictable - when doing the "sslcert" 
status, I didn't think that you would have one line in hosts.cfg with 
multiple (different) SSL certificates. So which of the 7 certificates 
will show up in the "sslcert" status is unpredictable.

It shouldn't mix certificates from different servers, though, and I
have never heard of it happening.  Are you sure that the DNS entries for 
tata and toto are completely separate ? They don't point to the same IP - 
or some round-robin DNS entry? (I note that both of them run "imaps", so 
it could be a possibility).

Xymon by default doesn't care what IP-address you've put into hosts.cfg,
it will always do a DNS lookup on the hostname to determine the IP-
address. So tests for the "tata" server could easily end up on "toto",
if there is a hostname resolution problem. You can of course override
this by adding the "testip" tag to both of those hosts in hosts.cfg.

Regards,
Henrik

Follow-Ups:
- Re: [xymon] sslcert
  - From: Xymon User in Richmond

References:
- sslcert
  - From: dOCtoR MADneSs
- RE: [xymon] sslcert
  - From: Root, Paul
- Re: [xymon] sslcert
  - From: dOCtoR MADneSs

Prev by Date: Re: [xymon] sslcert
Next by Date: Re: [xymon] sslcert
Previous by thread: Re: [xymon] sslcert
Next by thread: Re: [xymon] sslcert
Index(es):
- Date
- Thread