Check Certificate expire Wizard: check_xi_service_http_cert

[RockerMan]

Hi

I check whether the date has expired certificate using the wizard:

Code: Select all

$USER1$/check_http -H $HOSTADDRESS$ -C 30

In one case, give the correct date when the certificate has expired, and the certificate shows the correct name.
Certificate 1

Code: Select all

Owner *.companyname.com
Issuer prx.companyname.com
Valid from 26.09.2014 to 26.09.2016 

nagios show this certificate:

Code: Select all

OK - Certificate '*.companyname.com' will expire on Sun 25 Sep 2016 11:59:00 PM MSK. 

In another case, wrong and the date the certificate has expired, and the name of the certificate.
Certificate 2

Code: Select all

Owner www.companyname.com
Issuer prx.companyname.com
Valid from 18.12.2014 to 19.12.2015 

the second certificate nagios shows wrong:

Code: Select all

OK - Certificate 'www.my.companyname.com' will expire on Sun 15 Dec 2024 03:01:00 PM MSK. 

from nowhere added to "my." and the date is incorrect.
Please tell me how to fix the script for the second nagios certificate?


Best Regards
Valery

[ssax]

For the host that is not working, if you go into the CCM and edit the host, do you have the address as a DNS name or IP address?

[RockerMan]

For the host that is not working, if you go into the CCM and edit the host, do you have the address as a DNS name or IP address?

Yes, for the host in the Address* field is the value "www.companyname.com"
Checked by DiG - that's got such a result

Code: Select all

[root@nagios ~]# dig www.companyname.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.companyname.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27613
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.companyname.com.                 IN      A

;; ANSWER SECTION:
www.companyname.com.          2735    IN      CNAME   www.companyname.com.other.com.
www.companyname.com.other.com. 132   IN      A       2**.1**.2**.93

;; Query time: 0 msec
;; SERVER: 10.10.0.40#53(10.10.0.40)
;; WHEN: Tue May 19 13:56:07 2015
;; MSG SIZE  rcvd: 83

[root@nagios ~]#
[root@nagios ~]# dig www.my.companyname.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.my.companyname.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4322
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.my.companyname.com.              IN      A

;; ANSWER SECTION:
www.my.companyname.com.       3393    IN      CNAME   www.companyname.com.other.com.
www.companyname.com.other.com. 127   IN      A       2**.1**.2**.93

;; Query time: 0 msec
;; SERVER: 10.10.0.40#53(10.10.0.40)
;; WHEN: Tue May 19 13:56:11 2015
;; MSG SIZE  rcvd: 86

address 2**.1**.2**.93 in both cases the same

[ssax]

The certificate on the server is returning the "www.my.companyname.com", have you checked the certificates on that server to see if that is valid?

[RockerMan]

The certificate on the server is returning the "www.my.companyname.com", have you checked the certificates on that server to see if that is valid?

The certificate is valid, we checked.
I think that the problem in the DNS server.I parse now just this issue. As soon as I find out, or not affect DNS server error - I will answer you.

[lmiltchev]

I think that the problem in the DNS server.I parse now just this issue. As soon as I find out, or not affect DNS server error - I will answer you.

Let us know when you find out.

[RockerMan]

Hi

Completed changes to settings the DNS Server. Then check the DNS server resolution. From the answer DNS server record CNAME "www.my.companyname.com" disappeared.

Code: Select all

[root@nagios ~]# dig www.my.companyname.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.my.companyname.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30828
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.my.companyname.com.              IN      A

;; AUTHORITY SECTION:
companyname.com.       891     IN      SOA  master.companyname.com. hostmaster.companyname.com. 302 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 10.10.0.40#53(10.10.0.40)
;; WHEN: Mon May 25 09:35:45 2015
;; MSG SIZE  rcvd: 95

But in checking the certificate in NagiosXI incorrect entry to the owner of the certificate and validity until 2024 remained.
I contact the department of the bank that issued the certificate, it also confirmed that the certificate was issued on "www.companyname.com" and up to December 2015.

As a result, once again came to the same where to begin: I do not understand how Nagios takes the data from the certificate, it shows that as a result of its review:

Code: Select all

SSL Certificate OK	05-25-2015 18:36:11	1d 20h 19m 26s	1/3	OK - Certificate 'www.my.companyname.com' will expire on Sun 15 Dec 2024 03:01:00 PM MSK. 

Ideas for verification, may appear from this record - 'www.my.companyname.com' - are welcome.

[RockerMan]

Maybe check the certificate does not work here because of that? Part of the text of the documentation for the plugin check_http:
-
"Please note that this plugin does not check if the presented server certificate matches the hostname of the server, or if the certificate has a valid chain of trust to one of the locally installed CAs."
-
In my case, just the owner of the certificate matches the hostname of the server: http://www.mycompany.com.

[jdalrymple]

"Please note that this plugin does not check if the presented server certificate matches the hostname of the server, or if the certificate has a valid chain of trust to one of the locally installed CAs."

This is actually helping you not hurting you. Your DNS is giving you issues. It's important that the host your hitting with check_http is returning to you the certificate you care about. It's possible that the host is the termination point for multiple SSL connections (such as you would have with F5 or some other similar load balancer). If that is the situation you'll have to use the proper virtualhost and the device must return the right certificate. You can debug all of this simply in a web browser by going to the appropriate URL and clicking on the certificate info and reading it.

[RockerMan]

Hi

Ok. No, balancer in the usual sense, is not there. Before working web server Apache work the web server Nginx.
Certificate I opened it and looked composition: CN "www.companyname.com", DNS name is the same "www.companyname.com". I was the last case - contact to support provider, where host our server. Maybe they left a clue somewhere for DNS name "www.my.companyname.com".