Checking SSL Certificate

[amprantino]

Dear all,

I am trying to validate the https certificate of a web server using check_ssl_certificate plugin.
https://exchange.nagios.org/directory/P ... te/details

Which is the problem:

when I try to access http://myserver.domain.com I get the certificate from https://ServerIP instead of the certificate I use for this
vhost.

Any idea how to solve this issue?

Thank you

[tgriep]

Can you login to the server as root and run the command and post the output?

[amprantino]

root@davinci:/usr/local/nagios/libexec# ./check_ssl_certificate -H http://www.mysite.gr
m=Dec, d=27, h=23, m=59, s=59, y=2015, z=GMT
check_ssl_certificates: WARNING - only 10 day(s) left for this certificate.

However, this is the certificate of the http://100.100.100.100 (where resolves the domain name http://www.mysite.gr)

It doesn't check the actual FQDN but the IP

[rkennedy]

What is the web server running in the back end to serve each different SSL certificate?

I tried to replicate things over here, and haven't been able to.

What certificate do you see if you check the domain at https://www.ssllabs.com/ssltest/ ?

[amprantino]

Valid until Wed, 27 Apr 2016 23:59:59 UTC (expires in 4 months and 8 days)
Which is the correct date of the vhost's certificate

[millisa]

I think the plugin you are using isn't setup to pass host header info. I looked at the script and it has a -a option that is supposed to be for sending extra info like the host header. You might be able to modify the check plugin to do that (look at the openssl open line there in the perl script)
However, if you just want to watch for cert expirations on web sites, the stock check_http plugin can do that for you.
A command definition like:

Code: Select all

     command_line    $USER1$/check_http --ssl -C 30 -H $HOSTADDRESS$ $ARG1$


Should give you a thirty days headsup before cert expiration. (The important bit to the line above is the -H instead of -I)
In most cases, you can leave $ARG1$ blank for the actual service definition (it's just there in case you have a check that needs more arguments, like alternate ports and such)

Edit: fixed a reversed h/i

Also this example run may help you see what it should look like:

Code: Select all

[user@servername ~]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.


[amprantino]

./check_http -H http://www.mydomain.com --ssl -C 30
WARNING - Certificate '*.mydomain.com' expires in 6 day(s) (Sun 27 Dec 2015 11:59:00 PM EET).

Similar wrong response!

[millisa]

Try using the --sni switch:

Code: Select all

[someguy@servername conf.d]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl --sni -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.


[rkennedy]

Thanks @millisa!

As stated above, give the --sni flag a try and let us know the result.

[amprantino]

# ./check_http -H www.mydomain.gr --ssl -C 30 --sni
OK - Certificate 'www.mydomain.gr' will expire on Thu 28 Apr 2016 12:59:00 AM EEST.

Yep, it works now!!!
Awesome!

Thank you