[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [xymon] sslcert



In <4D374E08.8030908 (at) makelofine.org> dOCtoR MADneSs <doctor (at) makelofine.org> writes:

>> My xymon server has a strange behaviour.I have a host called tata running SSLed services. 
>> The tests are all OK. But when I go to sslcert test page, I see the information from another 
>> host (called toto). Their SSL certificates are differents, and all my other hosts have their 
>> own SSL informations.

>Here is the hosts.cfg content :

I've reformatted it slightly ...

>127.0.0.1   toto    # bbd ftp \
	https://wikileaks.makelofine.org \
	https://mailadmin.makelofine.org \
	https://www.makelofine.org \
	https://test.makelofine.org \
	imaps smtps pop3s \
	http://wikileaks.makelofine.org \
	http://www.raclo.fr \
	http://www.pleinphares.fr \
	http://www.xenon-tuning.fr \
	http://www.hoodmark.fr \
	http://www.chasseresse.com \
	http://www.skapiso.com \
	http://www.galey-ariege.fr \
	http://photos.makelofine.org \
	http://www.warcho.net \
	apache=http://localhost/server-status?auto \
	dns=galey-ariege.fr,skapiso.com,loozah.com,manurevah.com,loloack.com,makelofine.org \
	smtp ssh imap pop3 apt \
	libs bind postfix mysql hardware ntpq
	TRENDS:*,!la,vmstat:vmstat1|vmstat2|vmstat3|vmstat4|vmstat5,apache:apache|apache1|apache2|apache3,mysql:mysql|mysqlslow|mysqlqueries|mysqltables|mysqlopens|mysqlflush|mysqlquestions,hardware:hardware|fans|voltages,mailgraph:mailgraph-rejected|mailgraph-local|mailgraph-amavis|mailgraph-spamd|mailgraph-postgrey|mailgraph-postgrey-passed|mailgraph-loglines|mailgraph-runtime

OK, so you have (at least) 7 SSL-enabled services running on one host.
The effect of that is rather unpredictable - when doing the "sslcert" 
status, I didn't think that you would have one line in hosts.cfg with 
multiple (different) SSL certificates. So which of the 7 certificates 
will show up in the "sslcert" status is unpredictable.

It shouldn't mix certificates from different servers, though, and I
have never heard of it happening.  Are you sure that the DNS entries for 
tata and toto are completely separate ? They don't point to the same IP - 
or some round-robin DNS entry? (I note that both of them run "imaps", so 
it could be a possibility).

Xymon by default doesn't care what IP-address you've put into hosts.cfg,
it will always do a DNS lookup on the hostname to determine the IP-
address. So tests for the "tata" server could easily end up on "toto",
if there is a hostname resolution problem. You can of course override
this by adding the "testip" tag to both of those hosts in hosts.cfg.


Regards,
Henrik