[Xymon] SSL Certificate test failure

Henrik Størner henrik at hswn.dk
Tue Nov 10 22:10:57 CET 2015


Den 10-11-2015 kl. 15:27 skrev Mark Felder:
> [...] We're simply asking
> Xymon to be able to differentiate between a certificate with a valid
> chain of trust and one that is broken or self-signed.

You are correct that Xymon only checks the expiry-date of the 
certificate. This is - more or less - by design, since that is the most 
common problem with certificates: Your site works fine on Monday, and on 
Tuesday everything is down because the certificate has expired.

If your certificate is broken in the sense that the Common Name (ie the 
website name for which the certificate was issued) does not match your 
site, then *all* users will see that - so you figure it out pretty fast, 
usually before going live.

And name checking is not as simple as it seems. Lots of devices have 
self-signed certificates with meaningless names - tons of networking 
gear, application server admin consoles, intermediate proxy devices and 
so on. All of them can use self-signed certificates, or certificates 
issued by your own (company) CA. Xymon cannot validate them, because 
technically they are not trusted - you just want the TLS encryption to 
work, so you must live with the certificate.


More information about the Xymon mailing list