SSL certificate monitoring

[RIDS_I2MP]

Hello,

Still getting same error:

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 --ssl=1+
CRITICAL - Cannot make SSL connection.
139772835166016:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 --ssl=2+
CRITICAL - Cannot make SSL connection.
140187336841024:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 --ssl=3+
CRITICAL - Cannot make SSL connection.
139751346493248:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 --ssl=1.1+
CRITICAL - Cannot make SSL connection.
140021198370624:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]#
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 --ssl=1.2+
CRITICAL - Cannot make SSL connection.
140308417046336:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#

[scottwilkerson]

This has to be a problem with the ssl negotiation on the switch/router

But to verify, does this work?

Code: Select all

/usr/local/nagios/libexec/check_http -H www.nagios.com -C 10

[RIDS_I2MP]

Hello,

Yes it works.

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H http://www.nagios.com -C 10
SSL OK - Certificate '*.nagios.com' will expire in 710 days on 2022-06-27 03:59 +0400/+04.
[root@HO1-NAGIOSXI libexec]#

[scottwilkerson]

so the plugin works correctly.

Clearly neither curl nor check_http can negotiate the ssl connection, are you 100% sure the router is setup correctly?

[RIDS_I2MP]

Hello,

We want to monitor the below certificate:

show crypto pki certificate
Certificate
Status: Available
Certificate Serial Number (hex): 7B53FCBF00000000054F
Certificate Usage: General Purpose
Issuer:
cn=cginfra-CA
dc=cginfra
dc=net
Subject:
Name: AE-D3-VPN-GW.cginfra.net
Serial Number: FDO2201A075
cn=AE-D3-VPN-GW.cginfra.net
ou=Group I.T.
o=M.C.T. Fze
l=Dubai
st=Dubai
c=AE
hostname=AE-D3-VPN-GW.cginfra.net
serialNumber=FDO2201A075
CRL Distribution Point:
file://ja-cginfra-dc1.cginfra.net/CertEnroll/cginfra-CA.crl
Validity Date:
start date: 04:38:43 GST Jan 24 2020
end date: 04:38:43 GST Jan 23 2022
renew date: 23:50:42 GST Dec 24 2021
Associated Trustpoints: cginfra-CA
Storage: nvram:cginfra-CA#54F.cer

There is no issue with the router, we are already monitoring it in PRTG and its working fine there.

Please suggest!!

[scottwilkerson]

Oh, this is just a certificate on the router but not the certificate it uses for its web interface..

I do not know of any way to monitor these types of certificates.

You would need to find some way for the data to be reached by the nagios server and then write a custom monitoring plugin to get that information as I have never seen a pre-created plugin that can do this.