On Thu, 8 Jan 2026 at 12:58, Grant Taylor via Xymon <xymon@xymon.com> wrote:
<snip>
> Did I miss information about how to get TLS certificate information from
> my custom server extension to show up on the sslcert page?
>
> I can easily create a script to do the testing, but I don't know how to
> pass TLS cert details so that they show up on the sslcert page.
The sslcert page is only going to be populated if you have https tests in hosts.cfg. If it's a mail server that's not a webserver, then you won't have an sslcert page. That means all you need to do is send a status message for sslcert, based on your STARTTLS interaction in your script. If your server is both webserver and mailserver, then things are a bit more complicated, which I can go into if this is the case, otherwise I'll assume not.
So the script does something like:
#!/bin/bash
HOSTNAME=mail.example.comNEWLINE=$'\n' #bashism
cert_is_good() {
# fill in details here to test cert text in $1 and return 0 or 1 on status
# print out a line for the status message
}
CERT=`echo QUIT | openssl s_client -starttls smtp -connect $HOSTNAME:25 2>/dev/null | openssl x509 -noout -text`
MSG=`cert_is_good "$CERT"` && COL=green || COL=red$XYMON $XYMSRV "status $MAILSERVER.sslcert $COL $MSG$NEWLINE$CERT"
There's no need to make use of the client data message, as was suggested previously. The script is able to determine the status by itself. Client data messages are generally for when the client collects info but the server determines the status. This doesn't appear to be the case here.
You *could* run the script on the client, testing itself and reporting to the Xymon server. Just set MAILSERVER to 127.0.0.1 (or even leave it as is, and it should still work). But that means you need to roll out the script to every mail server you operate, now and in the future.
To better work within the Xymon operating model, your script is essentially replacing a component of the xymonnet process, which runs on the Xymon server. So it would make sense to run the script on the Xymon server. It makes it simpler to scale up and to adapt to changes in your email infrastructure. And it means you don't have to make any changes on your mail server.
A good way to implement such a server-side script is to have it iterate over all hosts that have a specific tag in hosts.cfg. This mirrors the behaviour of xymonnet when you add "conn" or "ssh" to a host entry, causing xymonnet to do its checks on that host. For example, you could add a tag "smtp-starttls" and then a revised form of the script could test all hosts that have this tag. Something like:
#!/bin/bash
TAG="smtp-starttls"
NEWLINE=$'\n'# bashism
cert_is_good() {
# do the needful on $1
# print one line status message
}
xymongrep $TAG | while read IP HOSTNAME REST; do
CERT=`echo QUIT | openssl s_client -starttls smtp -connect $HOSTNAME:25 2>/dev/null | openssl x509 -noout -text`
MSG=`cert_is_good "$CERT"` && COL=green || COL=red
$XYMON $XYMSRV "status $HOSTNAME.sslcert $COL $MSG$NEWLINE$CERT"
done
Then just run this every 5 minutes, probably from an entry in tasks.cfg.
Cheers
Jeremy