xymon checking wrong SSL cert on CNAME 🔗 link

Hi, 

We have a website at a third-party  hosting company, where our site
https://www.example.com <http://www.example.com>;   is a cname for
something.hosting.com  (not the real name)

We have a LetsEncrypt cert issued for www.example.com
<http://www.example.com>; .

 
The cert wasn't updating, but xymon did not alert , because xymon is
apparently evaluating the CNAME and then checking the cert for hosting.com
(which has a wildcard cert *.hosting.com)

 
How do we make xymon check the cert for www.example.com
<http://www.example.com>;  , other than writing our own script? I think this
is a fairly common setup for hosted websites

(for a minute I thought about adding an A record but that would be wrong on
multiple levels) 

 
/home/xymon/server/etc/hosts.cfg has 

x.x.x.x  www.example.com # noconn httpstatus;http://www.example.com/;301;
https://www.example.com

 
(where x.x.x.x is the actual IP)

 
Running xymon 4.3.30 on Alma 8

 
Thanks very much!

On Thu, 13 Jun 2024, user-f098d492cd80@xymon.invalid wrote:

I cannot believe this.  We also have CNAMEs pointing to hosts and the
cert check works as expected.  Did you check the "sslcert" column?

In this column I see a list of all https checks for this host listing
the request URL (without the IP-pinning, if you did so) with the
certificate subject, issuer and validity start/expire.

That's nearly what I'm doing.  The x.x.x.x is irrelevant since you use
noconn.  The https://www.example.com checks this URL and the sslcert
column should show the cert of this URL.

Here's an example I use (a little obfuscated):

1.2.3.4  foobar # noconn httpstatus;http://foobar.example.com;301 \
         httpstatus;http://foobar.example.net;301 \
         https://foobar.example.com=1.2.3.4/login \
         https://foobar.example.net=1.2.3.4/login \
         https://foobar.example.com=1.2.3.10/login \
         https://foobar.example.net=1.2.3.10/login

foobar.example.com and foobar.example.net are both CNAMES to the same
double-A-Record pointing to 1.2.3.4 and 1.2.3.10.

In the sslcert column I see:

SL certificate for https://foobar.example.net/login expires in 323 days

Server certificate:
	subject:/CN=foobar.example.net
	start date: 2024-04-03 00:00:00 GMT
	expire date:2025-05-02 23:59:59 GMT
	key size:2048
	issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
	signature algorithm: sha256WithRSAEncryption

green SSL certificate for https://foobar.example.com/login expires in 176 days

Server certificate:
	subject:/CN=foobar.example.com
	start date: 2023-11-06 00:00:00 GMT
	expire date:2024-12-06 23:59:59 GMT
	key size:2048
	issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
	signature algorithm: sha256WithRSAEncryption

green SSL certificate for https://foobar.example.net/login expires in 323 days

Server certificate:
	subject:/CN=foobar.example.net
	start date: 2024-04-03 00:00:00 GMT
	expire date:2025-05-02 23:59:59 GMT
	key size:2048
	issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
	signature algorithm: sha256WithRSAEncryption

green SSL certificate for https://foobar.example.com/login expires in 176 days

Server certificate:
	subject:/CN=foobar.example.com
	start date: 2023-11-06 00:00:00 GMT
	expire date:2024-12-06 23:59:59 GMT
	key size:2048
	issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1
	signature algorithm: sha256WithRSAEncryption

(as you can see, the certificates of foobar.example.com and
foobar.example.net have different certificates with different
lifetimes).

They are duplicated, because this is checked for both IPs (so I see,
if only one of the two cluster nodes gets a new cert).

Greetings
Roland

Does it make a difference if you add ?sni? (server name indication) to the hosts.cfg entry? I am not sure if that is the default setting. 

Regards
Henrik 

Den 13. jun. 2024 kl. 09.12 skrev Roland Rosenfeld <user-237a1e03bc39@xymon.invalid>:

Hi,

xymon http checks do not use SNI (server name indication) by default.
Your webserver will therefore return the certificate configured as the default certificate when no SNI is sent.

To use SNI, just add a "sni" tag to the host:
x.x.x.x  www.example.com<http://www.example.com>; # noconn httpstatus;http://www.example.com/;301; https://www.example.com sni

BR
Fabian

Von: Xymon <xymon-bounces at xymon.com> Im Auftrag von user-f098d492cd80@xymon.invalid
Gesendet: Donnerstag, 13. Juni 2024 06:40
An: xymon at xymon.com
Betreff: [Xymon] xymon checking wrong SSL cert on CNAME

Hi,
We have a website at a third-party  hosting company, where our site https://www.example.com<http://www.example.com>;  is a cname for something.hosting.com  (not the real name)
We have a LetsEncrypt cert issued for www.example.com<http://www.example.com>;.

The cert wasn't updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)

How do we make xymon check the cert for www.example.com<http://www.example.com>; , other than writing our own script? I think this is a fairly common setup for hosted websites

(for a minute I thought about adding an A record but that would be wrong on multiple levels)

/home/xymon/server/etc/hosts.cfg has

x.x.x.x  www.example.com<http://www.example.com>; # noconn httpstatus;http://www.example.com/;301; https://www.example.com

(where x.x.x.x is the actual IP)

Running xymon 4.3.30 on Alma 8

Thanks very much!

The ?SNI? tag was the fix , 

Thank you all!

 
From: Fabian Wendlandt <user-a63c2f5e765a@xymon.invalid> 
Sent: Thursday, June 13, 2024 3:20 AM
To: user-f098d492cd80@xymon.invalid; xymon at xymon.com
Subject: AW: [Xymon] xymon checking wrong SSL cert on CNAME

 
Hi,

 
xymon http checks do not use SNI (server name indication) by default.

Your webserver will therefore return the certificate configured as the
default certificate when no SNI is sent.

 
To use SNI, just add a ?sni? tag to the host:

x.x.x.x  www.example.com <http://www.example.com>;  # noconn
httpstatus;http://www.example.com/;301; https://www.example.com sni

 
BR

Fabian

 
Von: Xymon < <mailto:xymon-bounces at xymon.com> xymon-bounces at xymon.com> Im
Auftrag von  <mailto:user-f098d492cd80@xymon.invalid> user-f098d492cd80@xymon.invalid
Gesendet: Donnerstag, 13. Juni 2024 06:40
An:  <mailto:xymon at xymon.com> xymon at xymon.com

Betreff: [Xymon] xymon checking wrong SSL cert on CNAME

 
Hi, 

We have a website at a third-party  hosting company, where our site
https://www.example.com <http://www.example.com>;   is a cname for
something.hosting.com  (not the real name)

We have a LetsEncrypt cert issued for www.example.com
<http://www.example.com>; .

 
The cert wasn?t updating, but xymon did not alert , because xymon is
apparently evaluating the CNAME and then checking the cert for hosting.com
(which has a wildcard cert *.hosting.com)

 
How do we make xymon check the cert for www.example.com
<http://www.example.com>;  , other than writing our own script? I think this
is a fairly common setup for hosted websites

(for a minute I thought about adding an A record but that would be wrong on
multiple levels) 

 
/home/xymon/server/etc/hosts.cfg has 

x.x.x.x  www.example.com <http://www.example.com>;  # noconn

httpstatus;http://www.example.com/;301; https://www.example.com

 
(where x.x.x.x is the actual IP)

 
Running xymon 4.3.30 on Alma 8

 
Thanks very much!

From: Roland Rosenfeld <user-237a1e03bc39@xymon.invalid> 

"There are more things on heaven and earth, Horatio, Than are dreamt of in
your philosophy"
Yes, I checked the sslcert column, as that is what I expected to alert. It
reports on the cert for 'hosting.org"

Does one of those two A records point to something.example.com?

As others pointed out, the SNI tag did the trick. 
I gather that this means that the hosting service is putting multiple hosts
on the same IP.
 The PTR record goes to a hosting.org error page on  Google Cloud.  

I haven't spent a great deal of time working with this third-party site as
I'm primarily involved with our own (cloud) servers, but I do the monitoring
(nice to be back with xymon!) and get looped in for SSL cert and other tech
issues

I had always wondered why my virtual hosts showed the A record of the hosts IP address when viewing the xymon data under the sslcert column. Only today by following and reading this thread and all the replies to the thread have I fixed the output of what's reported in the sslcert column by adding the 'sni' qualifier(?) to the end of all my virtual hosts in hosts.cfg. Now the sslcert data is correct for all the virtual hosts connected to one of my domains.
 Forgive the top posting but this reply only comes after reading through the full thread. I didn't want to have the full thread in this reply so only included the original post. I gathered the 'sni' data from another reply in the post and realized this was the magic I was looking for to fix that one issue I had been ignoring for the past year.
 Thanks,
Ron
 

On 06/12/2024 9:40 PM PDT user-f098d492cd80@xymon.invalid wrote:
  
Hi,

We have a website at a third-party  hosting company, where our site https://http://www.example.com  is a cname for something.hosting.com  (not the real name)