Page 1 of 2
Check Certificate expire Wizard: check_xi_service_http_cert
Posted: Mon May 18, 2015 7:41 am
by RockerMan
Hi
I check whether the date has expired certificate using the wizard:
Code: Select all
$USER1$/check_http -H $HOSTADDRESS$ -C 30
In one case, give the correct date when the certificate has expired, and the certificate shows the correct name.
Certificate 1
Code: Select all
Owner *.companyname.com
Issuer prx.companyname.com
Valid from 26.09.2014 to 26.09.2016
nagios show this certificate:
Code: Select all
OK - Certificate '*.companyname.com' will expire on Sun 25 Sep 2016 11:59:00 PM MSK.
In another case, wrong and the date the certificate has expired, and the name of the certificate.
Certificate 2
Code: Select all
Owner www.companyname.com
Issuer prx.companyname.com
Valid from 18.12.2014 to 19.12.2015
the second certificate nagios shows wrong:
Code: Select all
OK - Certificate 'www.my.companyname.com' will expire on Sun 15 Dec 2024 03:01:00 PM MSK.
from nowhere added to "my." and the date is incorrect.
Please tell me how to fix the script for the second nagios certificate?
Best Regards
Valery
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Mon May 18, 2015 9:54 am
by ssax
For the host that is not working, if you go into the CCM and edit the host, do you have the address as a DNS name or IP address?
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Tue May 19, 2015 6:17 am
by RockerMan
ssax wrote:For the host that is not working, if you go into the CCM and edit the host, do you have the address as a DNS name or IP address?
Yes, for the host in the Address* field is the value "
www.companyname.com"
Checked by DiG - that's got such a result
Code: Select all
[root@nagios ~]# dig www.companyname.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.companyname.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27613
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.companyname.com. IN A
;; ANSWER SECTION:
www.companyname.com. 2735 IN CNAME www.companyname.com.other.com.
www.companyname.com.other.com. 132 IN A 2**.1**.2**.93
;; Query time: 0 msec
;; SERVER: 10.10.0.40#53(10.10.0.40)
;; WHEN: Tue May 19 13:56:07 2015
;; MSG SIZE rcvd: 83
[root@nagios ~]#
[root@nagios ~]# dig www.my.companyname.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.my.companyname.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4322
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.my.companyname.com. IN A
;; ANSWER SECTION:
www.my.companyname.com. 3393 IN CNAME www.companyname.com.other.com.
www.companyname.com.other.com. 127 IN A 2**.1**.2**.93
;; Query time: 0 msec
;; SERVER: 10.10.0.40#53(10.10.0.40)
;; WHEN: Tue May 19 13:56:11 2015
;; MSG SIZE rcvd: 86
address 2**.1**.2**.93 in both cases the same
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Tue May 19, 2015 11:46 am
by ssax
The certificate on the server is returning the "www.my.companyname.com", have you checked the certificates on that server to see if that is valid?
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Thu May 21, 2015 5:20 am
by RockerMan
ssax wrote:The certificate on the server is returning the "www.my.companyname.com", have you checked the certificates on that server to see if that is valid?
The certificate is valid, we checked.
I think that the problem in the DNS server.I parse now just this issue. As soon as I find out, or not affect DNS server error - I will answer you.
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Thu May 21, 2015 11:38 am
by lmiltchev
I think that the problem in the DNS server.I parse now just this issue. As soon as I find out, or not affect DNS server error - I will answer you.
Let us know when you find out.
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Mon May 25, 2015 10:48 am
by RockerMan
Hi
Completed changes to settings the DNS Server. Then check the DNS server resolution. From the answer DNS server record CNAME "
www.my.companyname.com" disappeared.
Code: Select all
[root@nagios ~]# dig www.my.companyname.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> www.my.companyname.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30828
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.my.companyname.com. IN A
;; AUTHORITY SECTION:
companyname.com. 891 IN SOA master.companyname.com. hostmaster.companyname.com. 302 900 600 86400 3600
;; Query time: 0 msec
;; SERVER: 10.10.0.40#53(10.10.0.40)
;; WHEN: Mon May 25 09:35:45 2015
;; MSG SIZE rcvd: 95
But in checking the certificate in NagiosXI incorrect entry to the owner of the certificate and validity until 2024 remained.
I contact the department of the bank that issued the certificate, it also confirmed that the certificate was issued on "
www.companyname.com" and up to December 2015.
As a result, once again came to the same where to begin: I do not understand how Nagios takes the data from the certificate, it shows that as a result of its review:
Code: Select all
SSL Certificate OK 05-25-2015 18:36:11 1d 20h 19m 26s 1/3 OK - Certificate 'www.my.companyname.com' will expire on Sun 15 Dec 2024 03:01:00 PM MSK.
Ideas for verification, may appear from this record - '
www.my.companyname.com' - are welcome.
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Tue May 26, 2015 8:54 am
by RockerMan
Maybe check the certificate does not work here because of that? Part of the text of the documentation for the plugin check_http:
-
"Please note that this plugin does not check if the presented server certificate matches the hostname of the server, or if the certificate has a valid chain of trust to one of the locally installed CAs."
-
In my case, just the owner of the certificate matches the hostname of the server:
http://www.mycompany.com.
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Tue May 26, 2015 10:03 am
by jdalrymple
RockerMan wrote:"Please note that this plugin does not check if the presented server certificate matches the hostname of the server, or if the certificate has a valid chain of trust to one of the locally installed CAs."
This is actually helping you not hurting you. Your DNS is giving you issues. It's important that the host your hitting with check_http is returning to you the certificate you care about. It's possible that the host is the termination point for multiple SSL connections (such as you would have with F5 or some other similar load balancer). If that is the situation you'll have to use the proper virtualhost and the device must return the right certificate. You can debug all of this simply in a web browser by going to the appropriate URL and clicking on the certificate info and reading it.
Re: Check Certificate expire Wizard: check_xi_service_http_c
Posted: Wed May 27, 2015 2:47 am
by RockerMan
Hi
Ok. No, balancer in the usual sense, is not there. Before working web server Apache work the web server Nginx.
Certificate I opened it and looked composition: CN "
www.companyname.com", DNS name is the same "
www.companyname.com". I was the last case - contact to support provider, where host our server. Maybe they left a clue somewhere for DNS name "
www.my.companyname.com".