Page 1 of 1
How to exclude SUBDOMAIN for ssl check
Posted: Tue Dec 05, 2017 12:55 pm
by alexeydi
Hello,
i have the following error in my nsclient
WARNING - Certificate 'cpanel.mimoona.XXXX' expires in 15 day(s) (12/20/2017 23:59).
i want the Certificate check to check only my main domain mimoona.XXXX
how can i do this?
Re: How to exclude SUBDOMAIN for ssl check
Posted: Tue Dec 05, 2017 4:19 pm
by dwhitfield
What is the command you are using? Can you link to the script or plugin? There are at least two on the exchange:
https://exchange.nagios.org//directory/ ... rt/details
https://exchange.nagios.org//directory/ ... te/details
Once we know which plugin you are using, we can look at the code and determine if there is a way to exclude subdomains.
Re: How to exclude SUBDOMAIN for ssl check
Posted: Wed Dec 06, 2017 12:57 am
by alexeydi
Code: Select all
define host {
host_name 70141_ws_www.mimoona.XXXX
use generic-server
display_name 70141_ws_www.mimoona.XXXX
alias 70141_ws_www.mimoona.XXXX
address mimoona.xxxx
hostgroups check_https,check_ping,check_https_certcheck
contacts [email protected]
contact_groups Cloud Services
notification_interval 1440
notifications_enabled 1
}
the command in command.cfg
Code: Select all
define command {
command_name check_https_certcheck
command_line $USER1$/check_http -f ok -e HTTP/1. -S -C 30,7 -H $HOSTADDRESS$ $ARG1$
}
the check is working for domain but i want it only to mimoona.XXXX and not for cpnal.mimoona.co.il
Re: How to exclude SUBDOMAIN for ssl check
Posted: Wed Dec 06, 2017 1:01 pm
by mcapra
Here's the underlying code responsible for checking SSL certificate expiration in check_http:
https://github.com/nagios-plugins/nagio ... #L196-L316
SSL_get_peer_certificate returns the X509 cert presented by the peer. A better question might be why
mimoona.xxxx is returning the cpanel certificate at all. Are you certain there's no DNS or SSL configuration issues in play here? Does the address the domain resolves to have any sort of proxying or redirection happening?
This could be a bug in check_http, but I'm not totally convinced yet.
Re: How to exclude SUBDOMAIN for ssl check
Posted: Wed Dec 06, 2017 2:10 pm
by kyang
Thanks
@mcapra!
Please provide us some more information in regards to mcapra's response.
Re: How to exclude SUBDOMAIN for ssl check
Posted: Thu Dec 07, 2017 2:39 am
by alexeydi
the URL is
when i check the website with ssl cheker website
Code: Select all
https://www.sslshopper.com/ssl-checker.html#hostname=mimoona.co.il
then it shows that the ssl certificate is good,
but my nagios check is checking the domain mimoona.co.il and still i have the error of cpanel.mimoona.co.il
if i check the cpanel.mimoona.co.il in ssl checker then i also get a bad ssl, why is that?
Re: How to exclude SUBDOMAIN for ssl check
Posted: Thu Dec 07, 2017 11:59 am
by kyang
Does your web server use multiple SSL certs?
You probably have to use
--sni
If you don't mind, I tested this with your URL. Here is my example and it returns the correct
www.mimoona.co.il cert.
Code: Select all
./check_http -H www.mimoona.co.il -S --sni -C 30,7
SSL OK - Certificate 'www.mimoona.co.il' will expire on 2018-04-16 11:45 -0500/CDT. HTTP OK: HTTP/1.1 200 OK - 64398 bytes in 1.369 second response time |time=1.368788s;;;0.000000 size=64398B;;;0
I hope this helps!