Checking SSL Certificate

Engage with the community of users including those using the open source solutions.
Includes Nagios Core, Plugins, and NCPA

Checking SSL Certificate

Postby amprantino » Mon Dec 14, 2015 5:41 am

Dear all,

I am trying to validate the https certificate of a web server using check_ssl_certificate plugin.
https://exchange.nagios.org/directory/P ... te/details

Which is the problem:

when I try to access http://myserver.domain.com I get the certificate from https://ServerIP instead of the certificate I use for this
vhost.

Any idea how to solve this issue?

Thank you
amprantino
 
Posts: 140
Joined: Thu Apr 18, 2013 8:25 am
Location: libexec

Re: Checking SSL Certificate

Postby tgriep » Mon Dec 14, 2015 5:56 pm

Can you login to the server as root and run the command and post the output?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.

Be sure to check out our Knowledgebase for helpful articles and solutions!
User avatar
tgriep
Madmin
 
Posts: 9064
Joined: Thu Oct 30, 2014 9:02 am

Re: Checking SSL Certificate

Postby amprantino » Thu Dec 17, 2015 10:17 am

root@davinci:/usr/local/nagios/libexec# ./check_ssl_certificate -H http://www.mysite.gr
m=Dec, d=27, h=23, m=59, s=59, y=2015, z=GMT
check_ssl_certificates: WARNING - only 10 day(s) left for this certificate.

However, this is the certificate of the http://100.100.100.100 (where resolves the domain name http://www.mysite.gr)

It doesn't check the actual FQDN but the IP
amprantino
 
Posts: 140
Joined: Thu Apr 18, 2013 8:25 am
Location: libexec

Re: Checking SSL Certificate

Postby rkennedy » Thu Dec 17, 2015 2:16 pm

What is the web server running in the back end to serve each different SSL certificate?

I tried to replicate things over here, and haven't been able to.

What certificate do you see if you check the domain at https://www.ssllabs.com/ssltest/ ?
Former Nagios Employee
rkennedy
 
Posts: 6581
Joined: Mon Oct 05, 2015 11:45 am

Re: Checking SSL Certificate

Postby amprantino » Sat Dec 19, 2015 12:40 pm

Valid until Wed, 27 Apr 2016 23:59:59 UTC (expires in 4 months and 8 days)
Which is the correct date of the vhost's certificate
amprantino
 
Posts: 140
Joined: Thu Apr 18, 2013 8:25 am
Location: libexec

Re: Checking SSL Certificate

Postby millisa » Sun Dec 20, 2015 4:42 pm

I think the plugin you are using isn't setup to pass host header info. I looked at the script and it has a -a option that is supposed to be for sending extra info like the host header. You might be able to modify the check plugin to do that (look at the openssl open line there in the perl script)
However, if you just want to watch for cert expirations on web sites, the stock check_http plugin can do that for you.
A command definition like:
Code: Select all
     command_line    $USER1$/check_http --ssl -C 30 -H $HOSTADDRESS$ $ARG1$

Should give you a thirty days headsup before cert expiration. (The important bit to the line above is the -H instead of -I)
In most cases, you can leave $ARG1$ blank for the actual service definition (it's just there in case you have a check that needs more arguments, like alternate ports and such)

Edit: fixed a reversed h/i

Also this example run may help you see what it should look like:
Code: Select all
[user@servername ~]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
User avatar
millisa
 
Posts: 69
Joined: Thu Jan 16, 2014 11:13 pm
Location: Austin, TX

Re: Checking SSL Certificate

Postby amprantino » Mon Dec 21, 2015 4:14 am

./check_http -H http://www.mydomain.com --ssl -C 30
WARNING - Certificate '*.mydomain.com' expires in 6 day(s) (Sun 27 Dec 2015 11:59:00 PM EET).

Similar wrong response!
amprantino
 
Posts: 140
Joined: Thu Apr 18, 2013 8:25 am
Location: libexec

Re: Checking SSL Certificate

Postby millisa » Mon Dec 21, 2015 12:20 pm

Try using the --sni switch:
Code: Select all
[someguy@servername conf.d]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl --sni -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
User avatar
millisa
 
Posts: 69
Joined: Thu Jan 16, 2014 11:13 pm
Location: Austin, TX

Re: Checking SSL Certificate

Postby rkennedy » Mon Dec 21, 2015 1:20 pm

Thanks @millisa!

As stated above, give the --sni flag a try and let us know the result.
Former Nagios Employee
rkennedy
 
Posts: 6581
Joined: Mon Oct 05, 2015 11:45 am

Re: Checking SSL Certificate

Postby amprantino » Mon Dec 21, 2015 2:02 pm

# ./check_http -H www.mydomain.gr --ssl -C 30 --sni
OK - Certificate 'www.mydomain.gr' will expire on Thu 28 Apr 2016 12:59:00 AM EEST.

Yep, it works now!!!
Awesome!

Thank you
amprantino
 
Posts: 140
Joined: Thu Apr 18, 2013 8:25 am
Location: libexec

Next

Return to Community Support

Who is online

Users browsing this forum: No registered users and 42 guests