SSL Cert Discovery

JohnFLi · Post by **JohnFLi** » Mon Jul 11, 2016 12:03 pm

I have a service that checks when the SSL certs are due to expire, and it works fine and dandy.

What I am looking for is something that will scan through my network (and vlans) and find all the machines with Certs. Kinda of a pain to hunt for them. Adding the service check is easy, but I need a way to find what machines to add them to first.

Any ideas?

bwallace · Post by **bwallace** » Mon Jul 11, 2016 12:12 pm

You could run the Auto-Discovery Wizard.
Go to Configure --> Configuration Tools --> Auto-Discovery

Click on New Auto-Discovery Job

Under Scan Target: Type in your network, for instance 172.131.142.0/24

For most scenarios, you will want to leave Exclude IPs blank, and Schedule at One Time.

Click Submit

Now the scan should be running.

Once the scan completes, if there is something not found previously that was found this time, it should say something such as 1 New / 5 Total under Devices Found.

Click on the 1 New

This will take you to a configuration wizard for the results the job found. Select whatever options are best fit for you, again, default is generally fine. Let us know if this is what you're looking for or not.

JohnFLi · Post by **JohnFLi** » Mon Jul 11, 2016 12:26 pm

It Appears to have potential...... I will need to investigate

Post by **mcapra** » Mon Jul 11, 2016 12:27 pm

The Auto-Discovery wizard within Nagios XI essentially just runs an nmap against networks your Nagios XI server can see and parses the output.

Using that same methodology, you could write a script that takes all of those hosts that nmap finds and check them for ssl certificates using openssl. See here for an example:
http://stackoverflow.com/questions/7885 ... m-a-server

Definitely an interesting problem, but seems doable. nmap and openssl are your best friends here IMO.

JohnFLi · Post by **JohnFLi** » Mon Jul 11, 2016 12:42 pm

One issue I have found doing it this way....is if the host is already being monitored, but not for the SSL cert... then I would still be in the dark on what existing machines have them

rkennedy · Post by **rkennedy** » Mon Jul 11, 2016 12:55 pm

This isn't exactly Nagios related, but more on the side of bash scripting. You could probably make some modifications to this based on what you need to scan, but this should help.

servers.txt

Code: Select all

google.com
yahoo.com
nagios.com

Now, lets use this one liner in conjunction with servers.txt. If you're able to populate a similar file with hostnames / IP's, then this should work as it'll run check_http against every machine in that file. You could refine this with a 'grep' on top of it all, to only show ones that come back a certain way.

Code: Select all

[root@localhost ~]# for host in $(cat servers.txt); do /usr/local/nagios/libexec/check_http -H $host -C 30; done
OK - Certificate '*.google.com' will expire on Thu 22 Sep 2016 03:52:00 PM CDT.
OK - Certificate 'www.yahoo.com' will expire on Tue 31 Oct 2017 12:59:00 AM CDT.
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.

benhank · Post by **benhank** » Mon Jul 11, 2016 3:47 pm

hey sorry to but in, but this would be a sweet plugin or something! any takers?

rkennedy · Post by **rkennedy** » Mon Jul 11, 2016 4:25 pm

How about this one liner?

Code: Select all

for host in $(nmap -sL 172.217.4.96/27 | grep 'Nmap scan report' | awk '{print $NF}' | sed -e 's/(//' -e 's/)//'); do /usr/local/nagios/libexec/check_http -H $host -p 443 -C 30; done

Which, will check the whole subnet 172.217.4.96/27 for certificates on port 443. Output follows -

Code: Select all

OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.googleusercontent.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.g.doubleclick.net' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'www.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'mail.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.doubleclick.net' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate '*.mail.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google-analytics.com' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate '*.blogger.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.googleapis.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'm.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'googlezip.net' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate 'accounts.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'upload.video.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.storage.googleapis.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.appspot.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.unicast.metric.gstatic.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
CRITICAL - Cannot make SSL connection.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.

Want a script with inputs?

Code: Select all

#!/bin/bash
# First input ($1) is the network range to scan
# Second input ($2)  is the port to check for a SSL certificate
for host in $(nmap -sL $1 | grep 'Nmap scan report' | awk '{print $NF}' | sed -e 's/(//' -e 's/)//'); do /usr/local/nagios/libexec/check_http -H $host -p $2 -C 30; done

Would be executed with yourscript.sh 172.217.4.96/27 443

JohnFLi · Post by **JohnFLi** » Mon Jul 11, 2016 4:56 pm

Getting close.....

How could you make it so it only displays the items that have already expired and items that will expire in X number of days?

tmcdonald · Post by **tmcdonald** » Tue Jul 12, 2016 10:01 am

Some creative grepping could achieve what you want, coupled with a little math to determine thresholds for the age, but that's getting into custom development, and is something we would need to discuss with the developers. We're able to make basic additions/modifications to existing plugins, and in some cases write simple ones from scratch, but when feature requests come in it's time to treat this like development. I can certainly start the conversation off if you would like, just let me know.

Nagios Support Forum

SSL Cert Discovery

SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery

Re: SSL Cert Discovery