The ?SNI? tag was the fix ,
Thank you all!
From: Fabian Wendlandt <user-a63c2f5e765a@xymon.invalid>
Sent: Thursday, June 13, 2024 3:20 AM
To: user-f098d492cd80@xymon.invalid; xymon at xymon.com
Subject: AW: [Xymon] xymon checking wrong SSL cert on CNAME
Hi,
xymon http checks do not use SNI (server name indication) by default.
Your webserver will therefore return the certificate configured as the
default certificate when no SNI is sent.
To use SNI, just add a ?sni? tag to the host:
x.x.x.x www.example.com <http://www.example.com>; # noconn
httpstatus;http://www.example.com/;301; https://www.example.com sni
BR
Fabian
Von: Xymon < <mailto:xymon-bounces at xymon.com> xymon-bounces at xymon.com> Im
Auftrag von <mailto:user-f098d492cd80@xymon.invalid> user-f098d492cd80@xymon.invalid
Gesendet: Donnerstag, 13. Juni 2024 06:40
An: <mailto:xymon at xymon.com> xymon at xymon.com
Betreff: [Xymon] xymon checking wrong SSL cert on CNAME
Hi,
We have a website at a third-party hosting company, where our site
https://www.example.com <http://www.example.com>; is a cname for
something.hosting.com (not the real name)
We have a LetsEncrypt cert issued for www.example.com
<http://www.example.com>; .
The cert wasn?t updating, but xymon did not alert , because xymon is
apparently evaluating the CNAME and then checking the cert for hosting.com
(which has a wildcard cert *.hosting.com)
How do we make xymon check the cert for www.example.com
<http://www.example.com>; , other than writing our own script? I think this
is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on
multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com <http://www.example.com>; # noconn
httpstatus;http://www.example.com/;301; https://www.example.com
(where x.x.x.x is the actual IP)
Running xymon 4.3.30 on Alma 8
Thanks very much!