On Wed, 30 Aug 2023, Jeremy Laidman wrote:
Date: Wed, 30 Aug 2023 15:33:40 +1000 From: Jeremy Laidman <jeremy at laidman.org> To: Vernon Everett <everett.vernon at gmail.com> Cc: Xymon mailinglist <xymon at xymon.com> Subject: Re: [Xymon] SSL/TLS cert monitoring
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi all
Appreciate the responses, but I have more than 1 problem I am trying to solve.
- I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box.
- I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.
Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Was looking for some guidance on 2. And a magic bullet for 3. :-D
I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
LoL
But I am a bit rusty these days, and thought I'd lean on the community a little.
If I can't, I guess it's back to coding again. :-)
If you script something to solve problem 3, you probably get 95% of the way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so Ralph's idea won't work. However, the same can be achieved using curl or wget, with some kind of increase in verbosity to show TLS attributes. Also, curl can return special variables like "ssl_verify_result" if you could use that (a separate thing to certificate expiry), and useful return codes (60 = "Peer certificate cannot be authenticated with known CA certificates").
$ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=xymon.com start date: Aug 16 13:20:13 2023 GMT expire date: Nov 14 13:20:12 2023 GMT common name: xymon.com issuer: CN=R3,O=Let's Encrypt,C=US CURL RC=0
$ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated start date: Apr 09 00:00:00 2015 GMT expire date: Apr 12 23:59:59 2015 GMT common name: *.badssl.com issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CURL RC=60
Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to work through a proxy, but I could have used --proxy.
The expire date can be parsed into epoch seconds, compared with today's epoch seconds value, and then checked for expired, or expiring soon:
$ EXP=
curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate expired on Apr 12 23:59:59 2015 GMT$ EXP=
curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT$ EXP=
curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)J
Another solution would be to run a xymonnet instance on the proxy server and report it back to the main xymond server. NET: in hosts.cfg can be used in this case.