SSL/TLS cert monitoring
list Vernon Everett
Hi all Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill. Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration. Any tips appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford
list Kris Springer
I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for. Sample line: 0.0.0.0??? WebPage.com?? # https://webpage.com Thank You, Kris Springer Systems Admin I/O Network Administration user-a65af99e49c9@xymon.invalid https://www.ionetworkadmin.com
▸
On 8/28/23 16:46, Vernon Everett wrote:Hi all Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill. Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration. Any tips appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" -?General George Patton "Don't find fault. Find a remedy" - Henry Ford
list Ralph Mitchell
I've done this before, but I don't think I still have the script. If you
want to mimic the sslcert column for some random SSL certificate file and
send it to Xymon, this:
openssl x509 -noout -in my_server.crt -subject -startdate -enddate -issuer
-dateopt iso_8601 | \
sed -e 's/notBefore=/start date: /' -e 's/notAfter=/expire date:/'
gets you a block that looks something like the sslcert column:
subject=CN = My Server Cert
start date: 2021-01-05 03:57:33Z
expire date:2025-01-05 03:57:33Z
issuer=CN = Some Random CA
You can do some date math on the expiry date to determine when it expires,
and then construct a message to send to Xymon.
I'll poke around and see if I can dig up my script.
Ralph Mitchell
On Mon, Aug 28, 2023 at 6:47?PM Vernon Everett <user-b3f8dacb72c8@xymon.invalid>
▸
wrote:
Hi all Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill. Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration. Any tips appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford
list Lars Kollstedt
On 29.08.23 00:46, Vernon Everett wrote:
I cannot remember how we configure those to check for expiration.
Hi Vernon, if you can reach them via tcp to do a TLS-handshake, something like this in the `/etc/xymon/protocols.cfg` might be the solution: ?[ntske] ?? options ssl ??? port 4460 Path's might differ in non Debian based setups. ;-) Otherwise the certificates can be checked with client side plugins. This also works for certificates used as client certificate in some applications. Kind regards ??? Lars -- Lars Kollstedt Telefon: +49 6151 16-71027 E-Mail: user-0f90394071da@xymon.invalid man-da.de GmbH Dolivostra?e 11 64293 Darmstadt Sitz der Gesellschaft: Darmstadt Registergericht: Amtsgericht Darmstadt Handelsregisternummer: HRB 9484 Gesch?ftsf?hrer: Andreas Ebert
list Gab Dito
I do the same (add https site to monitor), and the sslcert test populates itself, 2 weeks before expiration it goes yellow and 2-3 days before, it goes red. SSL certificate for https://xxxxxxxxxxxxxx/ expires in 547 days Server certificate: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com start date: 2023-02-27 17:04:27 GMT expire date:2025-02-26 17:04:27 GMT key size:4096 issuer:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signature algorithm: sha256WithRSAEncryption Cipher used: ECDHE-RSA-AES256-GCM-SHA384 (256 bits) Gab On Mon, Aug 28, 2023 at 10:12?PM IO Support <user-a65af99e49c9@xymon.invalid>
▸
wrote:
I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for. Sample line: 0.0.0.0 WebPage.com # https://webpage.com Thank You, Kris Springer Systems Admin
I/O Network user-ec409170f548@xymon.invalid https://www.ionetworkadmin.com
▸
On 8/28/23 16:46, Vernon Everett wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client
looking for a lightweight and cost-effective (free) monitoring solution,
and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck
on certs.
Some certs I can point Xymon directly to the URL, and I get the response I
want.
Others are (multiple) certs on my Xymon client server, not related to a
URL, but used by applications.
I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards
Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing user-d459c9d661b6@xymon.invalid
list Josh Luthman
Little more on this... 35.171.79.170 host.foo.com # https://host.foo.com ssldays=22:15 #22 day warn with 15 day red
▸
On Tue, Aug 29, 2023 at 10:39?AM Dito <user-b8c0e0047c63@xymon.invalid> wrote:
I do the same (add https site to monitor), and the sslcert test populates itself, 2 weeks before expiration it goes yellow and 2-3 days before, it goes red. SSL certificate for https://xxxxxxxxxxxxxx/ expires in 547 days Server certificate: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com start date: 2023-02-27 17:04:27 GMT expire date:2025-02-26 17:04:27 GMT key size:4096 issuer:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signature algorithm: sha256WithRSAEncryption Cipher used: ECDHE-RSA-AES256-GCM-SHA384 (256 bits) Gab On Mon, Aug 28, 2023 at 10:12?PM IO Support <user-a65af99e49c9@xymon.invalid> wrote:I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for. Sample line: 0.0.0.0 WebPage.com # https://webpage.com Thank You, Kris Springer Systems Admin I/O Network user-ec409170f548@xymon.invalid https://www.ionetworkadmin.com On 8/28/23 16:46, Vernon Everett wrote: Hi all Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill. Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration. Any tips appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford Xymon mailing user-d459c9d661b6@xymon.invalid
list Vernon Everett
Hi all Appreciate the responses, but I have more than 1 problem I am trying to solve. 1. I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box. 2. I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that. 3. I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert Was looking for some guidance on 2. And a magic bullet for 3. :-D I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors But I am a bit rusty these days, and thought I'd lean on the community a little. If I can't, I guess it's back to coding again. :-) Regards Vernon On Wed, 30 Aug 2023 at 02:48, Josh Luthman <user-4c45a83f15cb@xymon.invalid>
▸
wrote:
Little more on this... 35.171.79.170 host.foo.com # https://host.foo.com ssldays=22:15 #22 day warn with 15 day red On Tue, Aug 29, 2023 at 10:39?AM Dito <user-b8c0e0047c63@xymon.invalid> wrote:I do the same (add https site to monitor), and the sslcert test populates itself, 2 weeks before expiration it goes yellow and 2-3 days before, it goes red. SSL certificate for https://xxxxxxxxxxxxxx/ expires in 547 days Server certificate: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com start date: 2023-02-27 17:04:27 GMT expire date:2025-02-26 17:04:27 GMT key size:4096 issuer:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signature algorithm: sha256WithRSAEncryption Cipher used: ECDHE-RSA-AES256-GCM-SHA384 (256 bits) Gab On Mon, Aug 28, 2023 at 10:12?PM IO Support <user-a65af99e49c9@xymon.invalid> wrote:I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for. Sample line: 0.0.0.0 WebPage.com # https://webpage.com Thank You, Kris Springer Systems Admin I/O Network user-ec409170f548@xymon.invalid https://www.ionetworkadmin.com On 8/28/23 16:46, Vernon Everett wrote: Hi all Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill. Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration. Any tips appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford Xymon mailing user-d459c9d661b6@xymon.invalid
-- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford
list Jeremy Laidman
Ralph's approach is probably the best. Note to others who have kindly provided suggestions in this thread: the key requirement is to check a certificate *file* (eg mycert.cer), not a certificate used by a website or any networked service. There's no SSL/TLS involved here, so the https test won't work. Certs are used for more than just websites. An example of this might be a certificate file that's used to sign a logfile after rotation, so that the log's veracity can be verified later, for forensics. The https test is not suitable to check a file, only a website or other SSL/TLS endpoint. An alternative to Ralph's idea that might work, and requires no scripting, might be to configure the webserver used by Xymon so that the certificate files are somehow exposed and used in a TLS interaction, and thus become testable by the Xymonnet https test. I imagine each cert file would need to be configured in a snippet of the Apache (if that's the webserver) config file, so that each cert is used to protect a subset of the website. A bit messy, and probably a challenge to maintain, but it could probably be done without scripting. Similarly, you could run an instance of stunnel for each cert file, each on a different port (if multiple files exist on a host). If it were me, I'd use Ralph's idea in a script, and simulate the message that xymonnet would send for a cert used for a website.
▸
On Tue, 29 Aug 2023 at 12:19, Ralph M <user-00a5e44c48c0@xymon.invalid> wrote:
I've done this before, but I don't think I still have the script. If you want to mimic the sslcert column for some random SSL certificate file and send it to Xymon, this: openssl x509 -noout -in my_server.crt -subject -startdate -enddate -issuer -dateopt iso_8601 | \ sed -e 's/notBefore=/start date: /' -e 's/notAfter=/expire date:/' gets you a block that looks something like the sslcert column: subject=CN = My Server Cert start date: 2021-01-05 03:57:33Z expire date:2025-01-05 03:57:33Z issuer=CN = Some Random CA You can do some date math on the expiry date to determine when it expires, and then construct a message to send to Xymon. I'll poke around and see if I can dig up my script. Ralph Mitchell On Mon, Aug 28, 2023 at 6:47?PM Vernon Everett <user-b3f8dacb72c8@xymon.invalid> wrote:Hi all Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill. Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration. Any tips appreciated. Regards Vernon -- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford
list Jeremy Laidman
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <user-b3f8dacb72c8@xymon.invalid>
▸
wrote:
Hi all Appreciate the responses, but I have more than 1 problem I am trying to solve. 1. I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box. 2. I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.
Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".
▸
3. I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert Was looking for some guidance on 2. And a magic bullet for 3. :-D I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
LoL
▸
But I am a bit rusty these days, and thought I'd lean on the community a little. If I can't, I guess it's back to coding again. :-)
If you script something to solve problem 3, you probably get 95% of the way
to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so
Ralph's idea won't work. However, the same can be achieved using curl or
wget, with some kind of increase in verbosity to show TLS attributes. Also,
curl can return special variables like "ssl_verify_result" if you could use
that (a separate thing to certificate expiry), and useful return codes (60
= "Peer certificate cannot be authenticated with known CA certificates").
$ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; }
| sed -n '/^CURL RC=/p;/^. Server
certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
subject: CN=xymon.com
start date: Aug 16 13:20:13 2023 GMT
expire date: Nov 14 13:20:12 2023 GMT
common name: xymon.com
issuer: CN=R3,O=Let's Encrypt,C=US
CURL RC=0
$ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL
RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server
certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}'
subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated
start date: Apr 09 00:00:00 2015 GMT
expire date: Apr 12 23:59:59 2015 GMT
common name: *.badssl.com
issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB
CURL RC=60
Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to
work through a proxy, but I could have used --proxy.
The expire date can be parsed into epoch seconds, compared with today's
epoch seconds value, and then checked for expired, or expiring soon:
$ EXP=`curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^.
Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
{ SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate expired on Apr 12 23:59:59 2015 GMT
$ EXP=`curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^.
Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
{ SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT
$ EXP=`curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^.
Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] &&
{ SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)
J
list Ralph Mitchell
Vernon,
See the attached script to monitor https sites via a proxy. You'd need to
add the proxy to the Xymon server environment config, something like:
"PROXY=proxy.mydomain.com:8080"
or whatever is appropriate for curl at your site. Add an entry in
tasks.cfg to kick the thing off:
chkhttps.sh server.domain.com https://server.domain.com/start.htm\
It throws the site headers to the http column for server.domain.com and
fakes the matching sslcert column.
It'll probably work, but your mileage may vary. I'm not sure if my site is
still using it, but it looks like it hasn't required maintenance since
about 2012, so either it's really solid or the need for it went away.
You could co-opt the second part to fake the sslcert column where you have
a cert file and no server. It uses the verbose output from curl to access
the certificate start/end dates and other info, so you'll need to alter
that a bit to make it work with the "openssl x509" output I
mentioned previously,
Ralph Mitchell
▸
On Wed, Aug 30, 2023 at 1:35?AM Jeremy Laidman <user-0608abae5e7c@xymon.invalid> wrote:
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <user-b3f8dacb72c8@xymon.invalid> wrote:Hi all Appreciate the responses, but I have more than 1 problem I am trying to solve. 1. I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box. 2. I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".3. I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert Was looking for some guidance on 2. And a magic bullet for 3. :-D I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitorsLoLBut I am a bit rusty these days, and thought I'd lean on the community a little. If I can't, I guess it's back to coding again. :-)If you script something to solve problem 3, you probably get 95% of the way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so Ralph's idea won't work. However, the same can be achieved using curl or wget, with some kind of increase in verbosity to show TLS attributes. Also, curl can return special variables like "ssl_verify_result" if you could use that (a separate thing to certificate expiry), and useful return codes (60 = "Peer certificate cannot be authenticated with known CA certificates"). $ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=xymon.com start date: Aug 16 13:20:13 2023 GMT expire date: Nov 14 13:20:12 2023 GMT common name: xymon.com issuer: CN=R3,O=Let's Encrypt,C=US CURL RC=0 $ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated start date: Apr 09 00:00:00 2015 GMT expire date: Apr 12 23:59:59 2015 GMT common name: *.badssl.com issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CURL RC=60 Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to work through a proxy, but I could have used --proxy. The expire date can be parsed into epoch seconds, compared with today's epoch seconds value, and then checked for expired, or expiring soon: $ EXP=`curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate expired on Apr 12 23:59:59 2015 GMT $ EXP=`curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT $ EXP=`curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT) J
list Adam Thorn
▸
On 30/08/2023 04:31, Vernon Everett wrote:
3. I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Here's our perl script for doing this, though it uses a local "SuperHobbit" perl module which manages loading config files so it's not a case of just copy-pasting: https://gitlab.developers.cam.ac.uk/-/snippets/238 As others have said, all that the script really does is run: openssl x509 -in MY_CERTIFICATE.pem -noout -enddate which'll output a single line like: notAfter=Jul 4 23:59:59 2024 GMT which is then parsed by perl's str2time() (other date parsing options exist, of course. Thanks to Ralph for pointing out the -dateopt option which I didn't know about, though unfortunately that's not available in the version of openssl as provided by Ubuntu 20.04) I looked quickly at reimplementing this in python using the standard python 'crytography' package, but that started to open up cans of worms around version dependencies and how we could make a suitable version of the package available, so I've mentally stalled that idea for now. Adam
list Stephane Bakhos
▸
On Wed, 30 Aug 2023, Jeremy Laidman wrote:
Date: Wed, 30 Aug 2023 15:33:40 +1000 From: Jeremy Laidman <user-0608abae5e7c@xymon.invalid> To: Vernon Everett <user-b3f8dacb72c8@xymon.invalid> Cc: Xymon mailinglist <xymon at xymon.com> Subject: Re: [Xymon] SSL/TLS cert monitoring On Wed, 30 Aug 2023 at 13:32, Vernon Everett <user-b3f8dacb72c8@xymon.invalid> wrote:Hi all Appreciate the responses, but I have more than 1 problem I am trying to solve. 1. I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box. 2. I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".3. I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert Was looking for some guidance on 2. And a magic bullet for 3. :-D I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitorsLoLBut I am a bit rusty these days, and thought I'd lean on the community a little. If I can't, I guess it's back to coding again. :-)If you script something to solve problem 3, you probably get 95% of the way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so Ralph's idea won't work. However, the same can be achieved using curl or wget, with some kind of increase in verbosity to show TLS attributes. Also, curl can return special variables like "ssl_verify_result" if you could use that (a separate thing to certificate expiry), and useful return codes (60 = "Peer certificate cannot be authenticated with known CA certificates"). $ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=xymon.com start date: Aug 16 13:20:13 2023 GMT expire date: Nov 14 13:20:12 2023 GMT common name: xymon.com issuer: CN=R3,O=Let's Encrypt,C=US CURL RC=0 $ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated start date: Apr 09 00:00:00 2015 GMT expire date: Apr 12 23:59:59 2015 GMT common name: *.badssl.com issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CURL RC=60 Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to work through a proxy, but I could have used --proxy. The expire date can be parsed into epoch seconds, compared with today's epoch seconds value, and then checked for expired, or expiring soon: $ EXP=`curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate expired on Apr 12 23:59:59 2015 GMT $ EXP=`curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT $ EXP=`curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'`; [ "$EXP" ] && { SEC_E=`date --date "$EXP" +%s`; NOW_E=`date +%s`; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT) J
Another solution would be to run a xymonnet instance on the proxy server and report it back to the main xymond server. NET: in hosts.cfg can be used in this case.
list Vernon Everett
It took a bit of faffing about, but it all came back to me. Eventually. :-)
Here it is, if it's of any use to you.
And if you spot any bugs, please give me a shout.
#!/bin/bash
export PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
export CERT_DIR='/etc/pki/tls/certs'
export EPOCH_DAY='86400'
export TODAY="$(date +%s)"
export STATUS='green'
export TEMPFILE=$BBTMP/localcert.$$
date > $TEMPFILE
# For every cert we have...
for CERT in $(find ${CERT_DIR}/*.crt)
do
LCOL='green'
EXPIRE=$(openssl x509 -in ${CERT} -noout -dates 2>/dev/null | awk
-F= '/^notAfter/ { print $2; exit }')
EXP_EPOCH=`date -d"$EXPIRE" +%s`
SECS2GO=`expr $EXP_EPOCH - $TODAY`
DAYS2GO=`expr $SECS2GO / $EPOCH_DAY`
if [ $DAYS2GO -le 30 -a $STATUS != "red" ]
then
export STATUS='yellow'
LCOL='yellow'
fi
if [ $DAYS2GO -le 15 ]
then
export STATUS='red'
LCOL='red'
fi
echo "&$LCOL Expires in $DAYS2GO days, on $EXPIRE $CERT" >> $TEMPFILE
done
$XYMON $XYMSRV "status $MACHINE.localcerts $STATUS $(cat $TEMPFILE)"
rm $TEMPFILE 2>/dev/null
▸
On Wed, 30 Aug 2023 at 18:21, Adam Thorn <user-f6b877930936@xymon.invalid> wrote:
On 30/08/2023 04:31, Vernon Everett wrote:3. I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/certHere's our perl script for doing this, though it uses a local "SuperHobbit" perl module which manages loading config files so it's not a case of just copy-pasting: https://gitlab.developers.cam.ac.uk/-/snippets/238 As others have said, all that the script really does is run: openssl x509 -in MY_CERTIFICATE.pem -noout -enddate which'll output a single line like: notAfter=Jul 4 23:59:59 2024 GMT which is then parsed by perl's str2time() (other date parsing options exist, of course. Thanks to Ralph for pointing out the -dateopt option which I didn't know about, though unfortunately that's not available in the version of openssl as provided by Ubuntu 20.04) I looked quickly at reimplementing this in python using the standard python 'crytography' package, but that started to open up cans of worms around version dependencies and how we could make a suitable version of the package available, so I've mentally stalled that idea for now. Adam
-- "Accept the challenges so that you can feel the exhilaration of victory" - General George Patton "Don't find fault. Find a remedy" - Henry Ford