Checking SSL Certificate
-
- Posts: 140
- Joined: Thu Apr 18, 2013 8:25 am
- Location: libexec
Checking SSL Certificate
Dear all,
I am trying to validate the https certificate of a web server using check_ssl_certificate plugin.
https://exchange.nagios.org/directory/P ... te/details
Which is the problem:
when I try to access http://myserver.domain.com I get the certificate from https://ServerIP instead of the certificate I use for this
vhost.
Any idea how to solve this issue?
Thank you
I am trying to validate the https certificate of a web server using check_ssl_certificate plugin.
https://exchange.nagios.org/directory/P ... te/details
Which is the problem:
when I try to access http://myserver.domain.com I get the certificate from https://ServerIP instead of the certificate I use for this
vhost.
Any idea how to solve this issue?
Thank you
Re: Checking SSL Certificate
Can you login to the server as root and run the command and post the output?
Be sure to check out our Knowledgebase for helpful articles and solutions!
-
- Posts: 140
- Joined: Thu Apr 18, 2013 8:25 am
- Location: libexec
Re: Checking SSL Certificate
root@davinci:/usr/local/nagios/libexec# ./check_ssl_certificate -H http://www.mysite.gr
m=Dec, d=27, h=23, m=59, s=59, y=2015, z=GMT
check_ssl_certificates: WARNING - only 10 day(s) left for this certificate.
However, this is the certificate of the http://100.100.100.100 (where resolves the domain name http://www.mysite.gr)
It doesn't check the actual FQDN but the IP
m=Dec, d=27, h=23, m=59, s=59, y=2015, z=GMT
check_ssl_certificates: WARNING - only 10 day(s) left for this certificate.
However, this is the certificate of the http://100.100.100.100 (where resolves the domain name http://www.mysite.gr)
It doesn't check the actual FQDN but the IP
Re: Checking SSL Certificate
What is the web server running in the back end to serve each different SSL certificate?
I tried to replicate things over here, and haven't been able to.
What certificate do you see if you check the domain at https://www.ssllabs.com/ssltest/ ?
I tried to replicate things over here, and haven't been able to.
What certificate do you see if you check the domain at https://www.ssllabs.com/ssltest/ ?
Former Nagios Employee
-
- Posts: 140
- Joined: Thu Apr 18, 2013 8:25 am
- Location: libexec
Re: Checking SSL Certificate
Valid until Wed, 27 Apr 2016 23:59:59 UTC (expires in 4 months and 8 days)
Which is the correct date of the vhost's certificate
Which is the correct date of the vhost's certificate
Re: Checking SSL Certificate
I think the plugin you are using isn't setup to pass host header info. I looked at the script and it has a -a option that is supposed to be for sending extra info like the host header. You might be able to modify the check plugin to do that (look at the openssl open line there in the perl script)
However, if you just want to watch for cert expirations on web sites, the stock check_http plugin can do that for you.
A command definition like:
Should give you a thirty days headsup before cert expiration. (The important bit to the line above is the -H instead of -I)
In most cases, you can leave $ARG1$ blank for the actual service definition (it's just there in case you have a check that needs more arguments, like alternate ports and such)
Edit: fixed a reversed h/i
Also this example run may help you see what it should look like:
However, if you just want to watch for cert expirations on web sites, the stock check_http plugin can do that for you.
A command definition like:
Code: Select all
command_line $USER1$/check_http --ssl -C 30 -H $HOSTADDRESS$ $ARG1$
In most cases, you can leave $ARG1$ blank for the actual service definition (it's just there in case you have a check that needs more arguments, like alternate ports and such)
Edit: fixed a reversed h/i
Also this example run may help you see what it should look like:
Code: Select all
[user@servername ~]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
-
- Posts: 140
- Joined: Thu Apr 18, 2013 8:25 am
- Location: libexec
Re: Checking SSL Certificate
./check_http -H http://www.mydomain.com --ssl -C 30
WARNING - Certificate '*.mydomain.com' expires in 6 day(s) (Sun 27 Dec 2015 11:59:00 PM EET).
Similar wrong response!
WARNING - Certificate '*.mydomain.com' expires in 6 day(s) (Sun 27 Dec 2015 11:59:00 PM EET).
Similar wrong response!
Re: Checking SSL Certificate
Try using the --sni switch:
Code: Select all
[someguy@servername conf.d]$ /usr/lib64/nagios/plugins/check_http -H support.nagios.com --ssl --sni -C 30
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
Re: Checking SSL Certificate
Former Nagios Employee
-
- Posts: 140
- Joined: Thu Apr 18, 2013 8:25 am
- Location: libexec
Re: Checking SSL Certificate
# ./check_http -H www.mydomain.gr --ssl -C 30 --sni
OK - Certificate 'www.mydomain.gr' will expire on Thu 28 Apr 2016 12:59:00 AM EEST.
Yep, it works now!!!
Awesome!
Thank you
OK - Certificate 'www.mydomain.gr' will expire on Thu 28 Apr 2016 12:59:00 AM EEST.
Yep, it works now!!!
Awesome!
Thank you