sslcert

2 messages in this thread

list Henrik Størner · Thu, 20 Jan 2011 22:06:42 +0000 (UTC) ·

In <user-ddabd1b12fa2@xymon.invalid> dOCtoR MADneSs <user-d54077869176@xymon.invalid> writes:

My xymon server has a strange behaviour.I have a host called tata running SSLed services. The tests are all OK. But when I go to sslcert test page, I see the information from another host (called toto). Their SSL certificates are differents, and all my other hosts have their own SSL informations.

Here is the hosts.cfg content :

I've reformatted it slightly ...

127.0.0.1   toto    # bbd ftp \
	https://wikileaks.makelofine.org \
	https://mailadmin.makelofine.org \
	https://www.makelofine.org \
	https://test.makelofine.org \
	imaps smtps pop3s \
	http://wikileaks.makelofine.org \
	http://www.raclo.fr \
	http://www.pleinphares.fr \
	http://www.xenon-tuning.fr \
	http://www.hoodmark.fr \
	http://www.chasseresse.com \
	http://www.skapiso.com \
	http://www.galey-ariege.fr \
	http://photos.makelofine.org \
	http://www.warcho.net \
	apache=http://localhost/server-status?auto \
	dns=galey-ariege.fr,skapiso.com,loozah.com,manurevah.com,loloack.com,makelofine.org \
	smtp ssh imap pop3 apt \
	libs bind postfix mysql hardware ntpq

	TRENDS:*,!la,vmstat:vmstat1|vmstat2|vmstat3|vmstat4|vmstat5,apache:apache|apache1|apache2|apache3,mysql:mysql|mysqlslow|mysqlqueries|mysqltables|mysqlopens|mysqlflush|mysqlquestions,hardware:hardware|fans|voltages,mailgraph:mailgraph-rejected|mailgraph-local|mailgraph-amavis|mailgraph-spamd|mailgraph-postgrey|mailgraph-postgrey-passed|mailgraph-loglines|mailgraph-runtime

OK, so you have (at least) 7 SSL-enabled services running on one host.
The effect of that is rather unpredictable - when doing the "sslcert" status, I didn't think that you would have one line in hosts.cfg with multiple (different) SSL certificates. So which of the 7 certificates will show up in the "sslcert" status is unpredictable.

It shouldn't mix certificates from different servers, though, and I
have never heard of it happening.  Are you sure that the DNS entries for tata and toto are completely separate ? They don't point to the same IP - or some round-robin DNS entry? (I note that both of them run "imaps", so it could be a possibility).

Xymon by default doesn't care what IP-address you've put into hosts.cfg,
it will always do a DNS lookup on the hostname to determine the IP-
address. So tests for the "tata" server could easily end up on "toto",
if there is a hostname resolution problem. You can of course override
this by adding the "testip" tag to both of those hosts in hosts.cfg.


Regards,
Henrik

list Xymon User in Richmond · Thu, 20 Jan 2011 18:52:01 -0500 ·

▸ quoted from Henrik Størner

On Thu, January 20, 2011 17:06, Henrik StÃ¸rner wrote:

OK, so you have (at least) 7 SSL-enabled services running on one host.
The effect of that is rather unpredictable - when doing the "sslcert"
status, I didn't think that you would have one line in hosts.cfg with
multiple (different) SSL certificates. So which of the 7 certificates
will show up in the "sslcert" status is unpredictable.

I have hosts running both httpd ssl and imaps services, with separate
certs, and it reports both certs correctly.  I don't know if it will
handle status correctly, though.  The imaps certs are self-generated with
expirations years out.  IIRC, it has gone yellow on the httpd certs at the
correct time.  The https test precedes the imaps test on the hosts line,
and the certs are stacked in that order on the sslcert page.

sslcert 🔗 link

sslcert