Subject: Re: SSL OCSP monitoring 🔗 link

Hi,

Can we monitor SSL certificate's revoke status ?

Thanks,
Deepak

Hello Deepak,

 Not sure if this is what you're after but I've found a way of getting Xymon to give yellow alerts when the SSL certificate on a webserver has 30 days (or less) until expiry, and red alerts on 14 days (or less).

The first part is to give a secure URL in the comment section of the host definition in the hosts.cfg file, such as:

   192.168.12.12    www  # conn ssh http://www. yabadabadoo.blah.uk/ https://yabadabadoo.blah.uk/

This tells Xymon to check the secure HTTP instance on, in this case, www.yabadabadoo.blah.uk . So it picks up the SSL certificate and reports on its presence. This should create an "sslcert" column on your Xymon display. You can view the retrieved certificate in that column.

However the next step is needed if you wanted alerts raised when an SSL certificate is getting near expiry date.

In the tasks.cfg file you need to setup a clause to force the system to raise a warning if the SSL certificate gets near expiry date. I have done this by adding the "sslwarn" and "sslalarm" options to the definition for xymonnet. 

The actual definition I am using is shown below:

[xymonnet]
        ENVFILE /usr/local/hobbit/server/etc/xymonserver.cfg
        NEEDS xymond
        CMD xymonnet --no-ares --report --ping --checkresponse --sslwarn=30 --sslalarm=14 '--dnslog=/var/log/xymon/dns.log' '--concurrency=5' '--debug' '--dump=both'
        LOGFILE $XYMONSERVERLOGS/xymonnet.log
        INTERVAL 5m

As you can see I have '-sslwarn=30' which causes the sslcert column for a host to go yellow when the SSL certificate for that host has 30 days or less until expiry. The '--sslalarm=14' raises the alert level to red when there is 14 days or less until the SSL certificate's expiry date.

I have this running in  a live environment at the moment and can confirm that it does work. I'm fairly sure that you should be able to use this sort of setup for testing the revocation dates of SSL certificates for other protocols, such as secure smtp.

Hope this helps.

Regards,
Steff Watkins
Steff Watkins                           Natural History Museum, Cromwell Road, London,SW75BD 
Systems programmer                      Email: user-03bd19bb3c11@xymon.invalid 
Systems Team                            Phone: +XX (X)XX XXXX XXXX opt 2
========
"Many were increasingly of the opinion that they'd all made a big mistake in coming down from the trees in the first place. And some said that even the trees had been a bad move, and that no one should ever have left the oceans." - HHGTTG

Resending because it didn't go to the mailing list.  I don't remember why
it was deemed a good idea not to direct replies to the list by default.  I
wonder how many conversations have "gone off list" like this without the
participants noticing??

Ralph Mitchell
---------- Forwarded message ----------
From: "Ralph Mitchell" <user-00a5e44c48c0@xymon.invalid>
Date: Apr 16, 2014 7:23 AM
Subject: Re: [Xymon] Subject: Re: SSL OCSP monitoring
To: "Steff Watkins" <user-03bd19bb3c11@xymon.invalid>
Cc:

OCSP is a little different to expiry - it's for checking that the
certificate has not been revoked.  Say you have some kind of national ID
card with certificate and key issued by a nationwide trusted entity. You
could use it to access banking and health services, sign documents, encrypt
email, etc.  If the card is lost or stolen, you call it in, the certificate
is revoked and they send you a new one.

If the stolen card is subsequently used to try to gain access to your bank
account, the bank calls an OCSP responder to validate the card and then
rejects it.  Clients, such as web browsers, can do the same to check if
server certificates have been revoked before trusting them.

I'm not sure what anyone would gain from testing revocation status, given
that you're generally monitoring certs on your own network and servers.

Ralph Mitchell

On Wed, Apr 16, 2014 at 5:40 AM, Steff Watkins <user-03bd19bb3c11@xymon.invalid> wrote: