FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]

[sav2880]

This is probably simple, but it's something I'm not well versed upon. I have a server for which the only access in is through FTPS on Port 990, and I want to monitor the certificate expiration date on the server.

I've seen in other discussions that there may exist some sort of expiration check for FTPS, can't seem to find it. Has anyone here tried to do this and with what level of success?

[dwhitfield]

SFTP using SSH (your subject). https://exchange.nagios.org/directory/P ... 29/details claims to do SFTP.

FTPS uses SSL (the text). If you mean FTPS, then https://exchange.nagios.org//directory/ ... rt/details might work. There are some other SSL check, and it's likely one of those can work, with some minor tweaks.

Once I know if you are using SFTP or FTPS, I can certainly do more digging.

[sav2880]

This is definitely using FTPS (FTP over SSL), so agreed, did not have the subject line as clear and concise as it should be. I'll fix that now.

[mcapra]

The aforementioned check_ssl_cert plugin is probably appropriate and specifically includes considerations for the ftp protocol:

Code: Select all

-P,--protocol protocol     use the specific protocol
                              {http|smtp|pop3|imap|ftp|xmpp|irc|ldap}
                              http:                    default
                              smtp,pop3,imap,ftp,ldap: switch to TLS

Let us know if you have problems getting it working.

[dwhitfield]

Thanks @mcapra!

OP, let us know if you have any difficulty setting this up.

[sav2880]

I'll be working on it today.

[dwhitfield]

Sounds good. If you aren't familiar with setting up plugins in XI, I think https://assets.nagios.com/downloads/nag ... ios-XI.pdf will be helpful. Let us know if you run into any difficulty.

[sav2880]

Alright, I think we're getting closer. Dropped the code into my /usr/local/nagios/libexec directory (actually a subdirectory underneath).

When I use a normal client (FileZilla or WinSCP), I can login with a username and password and I get a certificate. In fact, I get the certificate on WinSCP, and it's returning:

Cryptographic Protocol: TLS/SSL Implicit (TLSv1)
Encryption Algorithm: TLSv1/SSLv3

In then trying this on the Nagios server itself from an SSH command line, this is what happens:

-bash-4.1$ ./check_ssl_cert --host [HOST NAME HERE] --protocol ftp --port 990 --tls1 --verbose
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
found GNU date with timestamp support: enabling date computations
'/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute
downloading certificate to /tmp
Error: verify depth is 6
SSL_CERT CRITICAL [HOST NAME HERE]: No certificate returned
-bash-4.1$

Obviously the first question would be, is the server's port REALLY reachable here? Appears to be.

-bash-4.1$ tcping [HOST NAME HERE] 990
[HOST NAME HERE] port 990 open.

So with that I'm a bit stumped.

* Could I have a dependency issue based on the verbose output?
* Would the OpenSSL error here be concerning?

[kyang]

I don't have an FTPS server to test it out against, but here's my example.

Code: Select all

./check_ssl_cert -H 192.168.4.125 -P http -r /etc/pki/tls/certs/ -A
SSL_CERT OK - x509 certificate 'localhost.localdomain' from 'localhost.localdomain' valid until Apr 25 20:18:11 2018 GMT (expires in 118 days)|days=118;;;

This is my cert for HTTP. It returns this when I use the path to the cert location, actually with or without it.


Try running the command like this, and give us the output.

Code: Select all

./check_ssl_cert -H <HOST> -P ftp -p 990 -A

If nothing, try adding the path to the cert.

Code: Select all

./check_ssl_cert -H <HOST> -P ftp -p 990 -r <cert location> -A

Code: Select all

 -r,--rootcert path         root certificate or directory to be used for
                              certificate validation

Let us know the output. Thanks!

[sav2880]

Same output where it's saying that there is no certificate returned. Starting to wonder if I'm able to make ftps connections at all from this shell prompt.

How can I test the ftps shell connection is fully working in the first place? Maybe the tcping showing the port was open wasn't enough.