Hi,
we need to monitor TLS certificate. we have checked with check_http plugin but getting below error.
[root@xxxxxxxx libexec]# ./check_http -I xx.xx.xx.xx -p 25 -C 10
CRITICAL - Cannot make SSL connection.
could you please give us suitable solution.
thanks in advance !
Need to monitor TLS certificate
Re: Need to monitor TLS certificate
I assume port 25 is an email server an not a web server, correct? I don't think check_http will work in this case.
Is it using STARTTLS or regular TLS?
I found this plugin that should do it:
https://raw.githubusercontent.com/matte ... k_ssl_cert
You can install it like this:
Then test:
It has a ton of options:
https://github.com/matteocorti/check_ss ... /README.md
Is it using STARTTLS or regular TLS?
I found this plugin that should do it:
https://raw.githubusercontent.com/matte ... k_ssl_cert
You can install it like this:
Code: Select all
cd /usr/local/nagios/libexec
wget https://raw.githubusercontent.com/matteocorti/check_ssl_cert/master/check_ssl_cert
chown apache.nagios check_ssl_cert
chmod ug+x check_ssl_certCode: Select all
/usr/local/nagios/libexec/check_ssl_cert -H your.mailserver.com -p 25 -P smtp -w 90 -c 30https://github.com/matteocorti/check_ss ... /README.md
-
lanxessinfy
- Posts: 68
- Joined: Tue Nov 24, 2020 5:55 am
Re: Need to monitor TLS certificate
Hi,
It is regular TLS certificate. anyway we have tried with the given plugin and we got output like below.
[root@xxxxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
It is regular TLS certificate. anyway we have tried with the given plugin and we got output like below.
[root@xxxxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
Re: Need to monitor TLS certificate
Are you sure it's not using a different port such as 465/587?
Do any of these work? (send the output)
Do any of these work? (send the output)
Code: Select all
./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30 --tls1_2 -v -v Code: Select all
./check_ssl_cert -H xx.xx.xx.xx -p 465 -P smtp -w 90 -c 30 --tls1_2 -v -v Code: Select all
./check_ssl_cert -H xx.xx.xx.xx -p 587 -P smtp -w 90 -c 30 --tls1_2 -v -v -
lanxessinfy
- Posts: 68
- Joined: Tue Nov 24, 2020 5:55 am
Re: Need to monitor TLS certificate
Hi,
it is using port 25 and it is TLSv1.2 certificate.
i have tried with given code and its output is
[root@xxxxxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30 --tls1_2 -v -v
expect not available
timeout available (/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
checking TLS renegotiation
error: verify depth is 6; didn't found starttls in server response, try anyway...; 139818587240352:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
[root@xxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 587 -P smtp -w 90 -c 30 --tls1_2 -v -v
expect not available
timeout available (/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
checking TLS renegotiation
error: verify depth is 6; socket: Bad file descriptor; connect:errno=9
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
[root@xxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 465 -P smtp -w 90 -c 30 --tls1_2 -v -v
expect not available
timeout available (/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
checking TLS renegotiation
error: verify depth is 6; socket: Bad file descriptor; connect:errno=9
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
also, i have replaced --tls1_2 with TLSv1.2 then i got output like
[root@xxxxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30 --TLSv1.2 -v -v
SSL_CERT UNKNOWN: invalid option: --TLSv1.2
it is using port 25 and it is TLSv1.2 certificate.
i have tried with given code and its output is
[root@xxxxxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30 --tls1_2 -v -v
expect not available
timeout available (/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
checking TLS renegotiation
error: verify depth is 6; didn't found starttls in server response, try anyway...; 139818587240352:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659:
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: didn't found starttls in server response, try anyway...
[root@xxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 587 -P smtp -w 90 -c 30 --tls1_2 -v -v
expect not available
timeout available (/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
checking TLS renegotiation
error: verify depth is 6; socket: Bad file descriptor; connect:errno=9
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
[root@xxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 465 -P smtp -w 90 -c 30 --tls1_2 -v -v
expect not available
timeout available (/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
checking TLS renegotiation
error: verify depth is 6; socket: Bad file descriptor; connect:errno=9
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
Error(s):
SSL_CERT CRITICAL xx.xx.xx.xx: No certificate returned
SSL_CERT CRITICAL xx.xx.xx.xx: SSL error: socket: Bad file descriptor
also, i have replaced --tls1_2 with TLSv1.2 then i got output like
[root@xxxxxxxx libexec]# ./check_ssl_cert -H xx.xx.xx.xx -p 25 -P smtp -w 90 -c 30 --TLSv1.2 -v -v
SSL_CERT UNKNOWN: invalid option: --TLSv1.2
Re: Need to monitor TLS certificate
Do any of these output a certificate?
Code: Select all
openssl s_client -connect X.X.X.X:25
openssl s_client -connect X.X.X.X:465
openssl s_client -connect X.X.X.X:587
openssl s_client -connect X.X.X.X:25 -starttls smtp
openssl s_client -connect X.X.X.X:464 -starttls smtp
openssl s_client -connect X.X.X.X:587 -starttls smtp