Page 1 of 2
Checking SSL Certificate
Posted: Mon Dec 14, 2015 5:41 am
by amprantino
Dear all,
I am trying to validate the https certificate of a web server using
check_ssl_certificate plugin.
https://exchange.nagios.org/directory/P ... te/details
Which is the problem:
when I try to access
http://myserver.domain.com I get the certificate from
https://ServerIP instead of the certificate I use for this
vhost.
Any idea how to solve this issue?
Thank you
Re: Checking SSL Certificate
Posted: Mon Dec 14, 2015 5:56 pm
by tgriep
Can you login to the server as root and run the command and post the output?
Re: Checking SSL Certificate
Posted: Thu Dec 17, 2015 10:17 am
by amprantino
root@davinci:/usr/local/nagios/libexec# ./check_ssl_certificate -H
http://www.mysite.gr
m=Dec, d=27, h=23, m=59, s=59, y=2015, z=GMT
check_ssl_certificates: WARNING - only 10 day(s) left for this certificate.
However, this is the certificate of the
http://100.100.100.100 (where resolves the domain name
http://www.mysite.gr)
It doesn't check the actual FQDN but the IP
Re: Checking SSL Certificate
Posted: Thu Dec 17, 2015 2:16 pm
by rkennedy
What is the web server running in the back end to serve each different SSL certificate?
I tried to replicate things over here, and haven't been able to.
What certificate do you see if you check the domain at
https://www.ssllabs.com/ssltest/ ?
Re: Checking SSL Certificate
Posted: Sat Dec 19, 2015 12:40 pm
by amprantino
Valid until Wed, 27 Apr 2016 23:59:59 UTC (expires in 4 months and 8 days)
Which is the correct date of the vhost's certificate
Re: Checking SSL Certificate
Posted: Sun Dec 20, 2015 4:42 pm
by millisa
I think the plugin you are using isn't setup to pass host header info. I looked at the script and it has a -a option that is supposed to be for sending extra info like the host header. You might be able to modify the check plugin to do that (look at the openssl open line there in the perl script)
However, if you just want to watch for cert expirations on web sites, the stock check_http plugin can do that for you.
A command definition like:
Code: Select all
command_line $USER1$/check_http --ssl -C 30 -H $HOSTADDRESS$ $ARG1$
Should give you a thirty days headsup before cert expiration. (The important bit to the line above is the -H instead of -I)
In most cases, you can leave $ARG1$ blank for the actual service definition (it's just there in case you have a check that needs more arguments, like alternate ports and such)
Edit: fixed a reversed h/i
Also this example run may help you see what it should look like:
Code: Select all
[user@servername ~]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
Re: Checking SSL Certificate
Posted: Mon Dec 21, 2015 4:14 am
by amprantino
./check_http -H
http://www.mydomain.com --ssl -C 30
WARNING - Certificate '*.mydomain.com' expires in 6 day(s) (Sun 27 Dec 2015 11:59:00 PM EET).
Similar wrong response!
Re: Checking SSL Certificate
Posted: Mon Dec 21, 2015 12:20 pm
by millisa
Try using the --sni switch:
Code: Select all
[someguy@servername conf.d]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl --sni -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
Re: Checking SSL Certificate
Posted: Mon Dec 21, 2015 1:20 pm
by rkennedy
Thanks
@millisa!
As stated above, give the
--sni flag a try and let us know the result.
Re: Checking SSL Certificate
Posted: Mon Dec 21, 2015 2:02 pm
by amprantino
# ./check_http -H
www.mydomain.gr --ssl -C 30 --sni
OK - Certificate '
www.mydomain.gr' will expire on Thu 28 Apr 2016 12:59:00 AM EEST.
Yep, it works now!!!
Awesome!
Thank you