SSL Cert Discovery

This support forum board is for support questions relating to Nagios XI, our flagship commercial network monitoring solution.
User avatar
JohnFLi
Posts: 559
Joined: Mon Jun 17, 2013 3:11 pm

SSL Cert Discovery

Post by JohnFLi »

I have a service that checks when the SSL certs are due to expire, and it works fine and dandy.

What I am looking for is something that will scan through my network (and vlans) and find all the machines with Certs. Kinda of a pain to hunt for them. Adding the service check is easy, but I need a way to find what machines to add them to first.

Any ideas?
Everybody is somebody else’s weirdo
bwallace
Posts: 1145
Joined: Tue Nov 17, 2015 1:57 pm

Re: SSL Cert Discovery

Post by bwallace »

You could run the Auto-Discovery Wizard.
Go to Configure --> Configuration Tools --> Auto-Discovery

Click on New Auto-Discovery Job

Under Scan Target: Type in your network, for instance 172.131.142.0/24

For most scenarios, you will want to leave Exclude IPs blank, and Schedule at One Time.

Click Submit

Now the scan should be running.

Once the scan completes, if there is something not found previously that was found this time, it should say something such as 1 New / 5 Total under Devices Found. 

Click on the 1 New

This will take you to a configuration wizard for the results the job found.  Select whatever options are best fit for you, again, default is generally fine. Let us know if this is what you're looking for or not.
Be sure to check out the Knowledgebase for helpful articles and solutions!
User avatar
JohnFLi
Posts: 559
Joined: Mon Jun 17, 2013 3:11 pm

Re: SSL Cert Discovery

Post by JohnFLi »

It Appears to have potential...... I will need to investigate
Everybody is somebody else’s weirdo
User avatar
mcapra
Posts: 3739
Joined: Thu May 05, 2016 3:54 pm

Re: SSL Cert Discovery

Post by mcapra »

The Auto-Discovery wizard within Nagios XI essentially just runs an nmap against networks your Nagios XI server can see and parses the output.

Using that same methodology, you could write a script that takes all of those hosts that nmap finds and check them for ssl certificates using openssl. See here for an example:
http://stackoverflow.com/questions/7885 ... m-a-server

Definitely an interesting problem, but seems doable. nmap and openssl are your best friends here IMO.
Former Nagios employee
https://www.mcapra.com/
User avatar
JohnFLi
Posts: 559
Joined: Mon Jun 17, 2013 3:11 pm

Re: SSL Cert Discovery

Post by JohnFLi »

One issue I have found doing it this way....is if the host is already being monitored, but not for the SSL cert... then I would still be in the dark on what existing machines have them
Everybody is somebody else’s weirdo
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: SSL Cert Discovery

Post by rkennedy »

This isn't exactly Nagios related, but more on the side of bash scripting. You could probably make some modifications to this based on what you need to scan, but this should help.

servers.txt

Code: Select all

google.com
yahoo.com
nagios.com
Now, lets use this one liner in conjunction with servers.txt. If you're able to populate a similar file with hostnames / IP's, then this should work as it'll run check_http against every machine in that file. You could refine this with a 'grep' on top of it all, to only show ones that come back a certain way.

Code: Select all

[root@localhost ~]# for host in $(cat servers.txt); do /usr/local/nagios/libexec/check_http -H $host -C 30; done
OK - Certificate '*.google.com' will expire on Thu 22 Sep 2016 03:52:00 PM CDT.
OK - Certificate 'www.yahoo.com' will expire on Tue 31 Oct 2017 12:59:00 AM CDT.
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
Former Nagios Employee
User avatar
benhank
Posts: 1264
Joined: Tue Apr 12, 2011 12:29 pm

Re: SSL Cert Discovery

Post by benhank »

hey sorry to but in, but this would be a sweet plugin or something! any takers?
Proudly running:
NagiosXI 5.4.12 2 node Prod Env 2500 hosts, 13,000 services
Nagiosxi 5.5.7(test env) 2500 hosts, 13,000 services
Nagios Logserver 2 node Prod Env 500 objects sending
Nagios Network Analyser
Nagios Fusion
rkennedy
Posts: 6579
Joined: Mon Oct 05, 2015 11:45 am

Re: SSL Cert Discovery

Post by rkennedy »

How about this one liner?

Code: Select all

for host in $(nmap -sL 172.217.4.96/27 | grep 'Nmap scan report' | awk '{print $NF}' | sed -e 's/(//' -e 's/)//'); do /usr/local/nagios/libexec/check_http -H $host -p 443 -C 30; done
Which, will check the whole subnet 172.217.4.96/27 for certificates on port 443. Output follows -

Code: Select all

OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.googleusercontent.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.g.doubleclick.net' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'www.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'mail.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.doubleclick.net' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate '*.mail.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google-analytics.com' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate '*.blogger.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.googleapis.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'm.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'googlezip.net' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate 'accounts.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'upload.video.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.storage.googleapis.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.appspot.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.unicast.metric.gstatic.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
CRITICAL - Cannot make SSL connection.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
Want a script with inputs?

Code: Select all

#!/bin/bash
# First input ($1) is the network range to scan
# Second input ($2)  is the port to check for a SSL certificate
for host in $(nmap -sL $1 | grep 'Nmap scan report' | awk '{print $NF}' | sed -e 's/(//' -e 's/)//'); do /usr/local/nagios/libexec/check_http -H $host -p $2 -C 30; done
Would be executed with yourscript.sh 172.217.4.96/27 443
Former Nagios Employee
User avatar
JohnFLi
Posts: 559
Joined: Mon Jun 17, 2013 3:11 pm

Re: SSL Cert Discovery

Post by JohnFLi »

Getting close..... ;)

How could you make it so it only displays the items that have already expired and items that will expire in X number of days?
Everybody is somebody else’s weirdo
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: SSL Cert Discovery

Post by tmcdonald »

Some creative grepping could achieve what you want, coupled with a little math to determine thresholds for the age, but that's getting into custom development, and is something we would need to discuss with the developers. We're able to make basic additions/modifications to existing plugins, and in some cases write simple ones from scratch, but when feature requests come in it's time to treat this like development. I can certainly start the conversation off if you would like, just let me know.
Former Nagios employee
Locked