Page 1 of 2
SSL Cert Discovery
Posted: Mon Jul 11, 2016 12:03 pm
by JohnFLi
I have a service that checks when the SSL certs are due to expire, and it works fine and dandy.
What I am looking for is something that will scan through my network (and vlans) and find all the machines with Certs. Kinda of a pain to hunt for them. Adding the service check is easy, but I need a way to find what machines to add them to first.
Any ideas?
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 12:12 pm
by bwallace
You could run the Auto-Discovery Wizard.
Go to Configure --> Configuration Tools --> Auto-Discovery
Click on New Auto-Discovery Job
Under Scan Target: Type in your network, for instance 172.131.142.0/24
For most scenarios, you will want to leave Exclude IPs blank, and Schedule at One Time.
Click Submit
Now the scan should be running.
Once the scan completes, if there is something not found previously that was found this time, it should say something such as 1 New / 5 Total under Devices Found.
Click on the 1 New
This will take you to a configuration wizard for the results the job found. Select whatever options are best fit for you, again, default is generally fine. Let us know if this is what you're looking for or not.
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 12:26 pm
by JohnFLi
It Appears to have potential...... I will need to investigate
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 12:27 pm
by mcapra
The Auto-Discovery wizard within Nagios XI essentially just runs an nmap against networks your Nagios XI server can see and parses the output.
Using that same methodology, you could write a script that takes all of those hosts that nmap finds and check them for ssl certificates using openssl. See here for an example:
http://stackoverflow.com/questions/7885 ... m-a-server
Definitely an interesting problem, but seems doable. nmap and openssl are your best friends here IMO.
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 12:42 pm
by JohnFLi
One issue I have found doing it this way....is if the host is already being monitored, but not for the SSL cert... then I would still be in the dark on what existing machines have them
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 12:55 pm
by rkennedy
This isn't exactly Nagios related, but more on the side of bash scripting. You could probably make some modifications to this based on what you need to scan, but this should help.
servers.txt
Now, lets use this one liner in conjunction with servers.txt. If you're able to populate a similar file with hostnames / IP's, then this should work as it'll run check_http against every machine in that file. You could refine this with a 'grep' on top of it all, to only show ones that come back a certain way.
Code: Select all
[root@localhost ~]# for host in $(cat servers.txt); do /usr/local/nagios/libexec/check_http -H $host -C 30; done
OK - Certificate '*.google.com' will expire on Thu 22 Sep 2016 03:52:00 PM CDT.
OK - Certificate 'www.yahoo.com' will expire on Tue 31 Oct 2017 12:59:00 AM CDT.
OK - Certificate '*.nagios.com' will expire on Fri 11 May 2018 12:59:00 AM CDT.
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 3:47 pm
by benhank
hey sorry to but in, but this would be a sweet plugin or something! any takers?
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 4:25 pm
by rkennedy
How about this one liner?
Code: Select all
for host in $(nmap -sL 172.217.4.96/27 | grep 'Nmap scan report' | awk '{print $NF}' | sed -e 's/(//' -e 's/)//'); do /usr/local/nagios/libexec/check_http -H $host -p 443 -C 30; done
Which, will check the whole subnet 172.217.4.96/27 for certificates on port 443. Output follows -
Code: Select all
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.googleusercontent.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.g.doubleclick.net' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'www.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'mail.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.doubleclick.net' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate '*.mail.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google-analytics.com' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate '*.blogger.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.googleapis.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'm.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'googlezip.net' will expire on Wed 28 Sep 2016 09:02:00 AM CDT.
OK - Certificate 'accounts.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate 'upload.video.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.storage.googleapis.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.appspot.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.unicast.metric.gstatic.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
CRITICAL - Cannot make SSL connection.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
OK - Certificate '*.google.com' will expire on Wed 28 Sep 2016 09:03:00 AM CDT.
Want a script with inputs?
Code: Select all
#!/bin/bash
# First input ($1) is the network range to scan
# Second input ($2) is the port to check for a SSL certificate
for host in $(nmap -sL $1 | grep 'Nmap scan report' | awk '{print $NF}' | sed -e 's/(//' -e 's/)//'); do /usr/local/nagios/libexec/check_http -H $host -p $2 -C 30; done
Would be executed with
yourscript.sh 172.217.4.96/27 443
Re: SSL Cert Discovery
Posted: Mon Jul 11, 2016 4:56 pm
by JohnFLi
Getting close.....
How could you make it so it only displays the items that have already expired and items that will expire in X number of days?
Re: SSL Cert Discovery
Posted: Tue Jul 12, 2016 10:01 am
by tmcdonald
Some creative grepping could achieve what you want, coupled with a little math to determine thresholds for the age, but that's getting into custom development, and is something we would need to discuss with the developers. We're able to make basic additions/modifications to existing plugins, and in some cases write simple ones from scratch, but when feature requests come in it's time to treat this like development. I can certainly start the conversation off if you would like, just let me know.