xymon checking wrong SSL cert on CNAME
Hi,
We have a website at a third-party hosting company, where our site https://www.example.com <http://www.example.com> is a cname for something.hosting.com (not the real name)
We have a LetsEncrypt cert issued for www.example.com <http://www.example.com> .
The cert wasn't updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
How do we make xymon check the cert for www.example.com <http://www.example.com> , other than writing our own script? I think this is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com # noconn httpstatus;http://www.example.com/;301; https://www.example.com
(where x.x.x.x is the actual IP)
Running xymon 4.3.30 on Alma 8
Thanks very much!
On Thu, 13 Jun 2024, betsys at well.com wrote:
We have a website at a third-party hosting company, where our site https://www.example.com <http://www.example.com> is a cname for something.hosting.com (not the real name)
We have a LetsEncrypt cert issued for www.example.com <http://www.example.com> .
The cert wasn't updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
I cannot believe this. We also have CNAMEs pointing to hosts and the cert check works as expected. Did you check the "sslcert" column?
In this column I see a list of all https checks for this host listing the request URL (without the IP-pinning, if you did so) with the certificate subject, issuer and validity start/expire.
How do we make xymon check the cert for www.example.com, other than writing our own script? I think this is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com # noconn httpstatus;http://www.example.com/;301; https://www.example.com
That's nearly what I'm doing. The x.x.x.x is irrelevant since you use noconn. The https://www.example.com checks this URL and the sslcert column should show the cert of this URL.
Here's an example I use (a little obfuscated):
1.2.3.4 foobar # noconn httpstatus;http://foobar.example.com;301
httpstatus;http://foobar.example.net;301
https://foobar.example.com=1.2.3.4/login
https://foobar.example.net=1.2.3.4/login
https://foobar.example.com=1.2.3.10/login
https://foobar.example.net=1.2.3.10/login
foobar.example.com and foobar.example.net are both CNAMES to the same double-A-Record pointing to 1.2.3.4 and 1.2.3.10.
In the sslcert column I see:
SL certificate for https://foobar.example.net/login expires in 323 days
Server certificate: subject:/CN=foobar.example.net start date: 2024-04-03 00:00:00 GMT expire date:2025-05-02 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
green SSL certificate for https://foobar.example.com/login expires in 176 days
Server certificate: subject:/CN=foobar.example.com start date: 2023-11-06 00:00:00 GMT expire date:2024-12-06 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
green SSL certificate for https://foobar.example.net/login expires in 323 days
Server certificate: subject:/CN=foobar.example.net start date: 2024-04-03 00:00:00 GMT expire date:2025-05-02 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
green SSL certificate for https://foobar.example.com/login expires in 176 days
Server certificate: subject:/CN=foobar.example.com start date: 2023-11-06 00:00:00 GMT expire date:2024-12-06 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
(as you can see, the certificates of foobar.example.com and foobar.example.net have different certificates with different lifetimes).
They are duplicated, because this is checked for both IPs (so I see, if only one of the two cluster nodes gets a new cert).
Greetings Roland
Does it make a difference if you add ?sni? (server name indication) to the hosts.cfg entry? I am not sure if that is the default setting.
Regards Henrik
Den 13. jun. 2024 kl. 09.12 skrev Roland Rosenfeld <roland at spinnaker.de>:
?On Thu, 13 Jun 2024, betsys at well.com wrote:
We have a website at a third-party hosting company, where our site https://www.example.com <http://www.example.com> is a cname for something.hosting.com (not the real name)
We have a LetsEncrypt cert issued for www.example.com <http://www.example.com> .
The cert wasn't updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
I cannot believe this. We also have CNAMEs pointing to hosts and the cert check works as expected. Did you check the "sslcert" column?
In this column I see a list of all https checks for this host listing the request URL (without the IP-pinning, if you did so) with the certificate subject, issuer and validity start/expire.
How do we make xymon check the cert for www.example.com, other than writing our own script? I think this is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com # noconn httpstatus;http://www.example.com/;301; https://www.example.com
That's nearly what I'm doing. The x.x.x.x is irrelevant since you use noconn. The https://www.example.com checks this URL and the sslcert column should show the cert of this URL.
Here's an example I use (a little obfuscated):
1.2.3.4 foobar # noconn httpstatus;http://foobar.example.com;301
httpstatus;http://foobar.example.net;301
https://foobar.example.com=1.2.3.4/login
https://foobar.example.net=1.2.3.4/login
https://foobar.example.com=1.2.3.10/login
https://foobar.example.net=1.2.3.10/loginfoobar.example.com and foobar.example.net are both CNAMES to the same double-A-Record pointing to 1.2.3.4 and 1.2.3.10.
In the sslcert column I see:
SL certificate for https://foobar.example.net/login expires in 323 days
Server certificate: subject:/CN=foobar.example.net start date: 2024-04-03 00:00:00 GMT expire date:2025-05-02 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
green SSL certificate for https://foobar.example.com/login expires in 176 days
Server certificate: subject:/CN=foobar.example.com start date: 2023-11-06 00:00:00 GMT expire date:2024-12-06 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
green SSL certificate for https://foobar.example.net/login expires in 323 days
Server certificate: subject:/CN=foobar.example.net start date: 2024-04-03 00:00:00 GMT expire date:2025-05-02 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
green SSL certificate for https://foobar.example.com/login expires in 176 days
Server certificate: subject:/CN=foobar.example.com start date: 2023-11-06 00:00:00 GMT expire date:2024-12-06 23:59:59 GMT key size:2048 issuer:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL TLS RSA CA G1 signature algorithm: sha256WithRSAEncryption
(as you can see, the certificates of foobar.example.com and foobar.example.net have different certificates with different lifetimes).
They are duplicated, because this is checked for both IPs (so I see, if only one of the two cluster nodes gets a new cert).
Greetings Roland
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
From: Roland Rosenfeld <roland at spinnaker.de> I cannot believe this. We also have CNAMEs pointing to hosts and the cert check works as expected. Did you check the "sslcert" column?
"There are more things on heaven and earth, Horatio, Than are dreamt of in your philosophy" Yes, I checked the sslcert column, as that is what I expected to alert. It reports on the cert for 'hosting.org"
foobar.example.com and foobar.example.net are both CNAMES to the same double-A-Record pointing to 1.2.3.4 and 1.2.3.10.
Does one of those two A records point to something.example.com?
As others pointed out, the SNI tag did the trick. I gather that this means that the hosting service is putting multiple hosts on the same IP. The PTR record goes to a hosting.org error page on Google Cloud.
I haven't spent a great deal of time working with this third-party site as I'm primarily involved with our own (cloud) servers, but I do the monitoring (nice to be back with xymon!) and get looped in for SSL cert and other tech issues
Hi,
xymon http checks do not use SNI (server name indication) by default. Your webserver will therefore return the certificate configured as the default certificate when no SNI is sent.
To use SNI, just add a "sni" tag to the host: x.x.x.x www.example.com<http://www.example.com> # noconn httpstatus;http://www.example.com/;301; https://www.example.com sni
BR Fabian
Von: Xymon <xymon-bounces at xymon.com> Im Auftrag von betsys at well.com Gesendet: Donnerstag, 13. Juni 2024 06:40 An: xymon at xymon.com Betreff: [Xymon] xymon checking wrong SSL cert on CNAME
Hi, We have a website at a third-party hosting company, where our site https://www.example.com<http://www.example.com> is a cname for something.hosting.com (not the real name) We have a LetsEncrypt cert issued for www.example.com<http://www.example.com>.
The cert wasn't updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
How do we make xymon check the cert for www.example.com<http://www.example.com> , other than writing our own script? I think this is a fairly common setup for hosted websites (for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has x.x.x.x www.example.com<http://www.example.com> # noconn httpstatus;http://www.example.com/;301; https://www.example.com
(where x.x.x.x is the actual IP)
Running xymon 4.3.30 on Alma 8
Thanks very much!
The ?SNI? tag was the fix ,
Thank you all!
From: Fabian Wendlandt <fabian.wendlandt at innowerk-it.de> Sent: Thursday, June 13, 2024 3:20 AM To: betsys at well.com; xymon at xymon.com Subject: AW: [Xymon] xymon checking wrong SSL cert on CNAME
Hi,
xymon http checks do not use SNI (server name indication) by default.
Your webserver will therefore return the certificate configured as the default certificate when no SNI is sent.
To use SNI, just add a ?sni? tag to the host:
x.x.x.x www.example.com <http://www.example.com> # noconn httpstatus;http://www.example.com/;301; https://www.example.com sni
BR
Fabian
Von: Xymon < <mailto:xymon-bounces at xymon.com> xymon-bounces at xymon.com> Im Auftrag von <mailto:betsys at well.com> betsys at well.com Gesendet: Donnerstag, 13. Juni 2024 06:40 An: <mailto:xymon at xymon.com> xymon at xymon.com Betreff: [Xymon] xymon checking wrong SSL cert on CNAME
Hi,
We have a website at a third-party hosting company, where our site https://www.example.com <http://www.example.com> is a cname for something.hosting.com (not the real name)
We have a LetsEncrypt cert issued for www.example.com <http://www.example.com> .
The cert wasn?t updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
How do we make xymon check the cert for www.example.com <http://www.example.com> , other than writing our own script? I think this is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com <http://www.example.com> # noconn httpstatus;http://www.example.com/;301; https://www.example.com
(where x.x.x.x is the actual IP)
Running xymon 4.3.30 on Alma 8
Thanks very much!
I had always wondered why my virtual hosts showed the A record of the hosts IP address when viewing the xymon data under the sslcert column. Only today by following and reading this thread and all the replies to the thread have I fixed the output of what's reported in the sslcert column by adding the 'sni' qualifier(?) to the end of all my virtual hosts in hosts.cfg. Now the sslcert data is correct for all the virtual hosts connected to one of my domains.
Forgive the top posting but this reply only comes after reading through the full thread. I didn't want to have the full thread in this reply so only included the original post. I gathered the 'sni' data from another reply in the post and realized this was the magic I was looking for to fix that one issue I had been ignoring for the past year.
Thanks, Ron
On 06/12/2024 9:40 PM PDT betsys at well.com wrote:
Hi,
We have a website at a third-party hosting company, where our site https://http://www.example.com is a cname for something.hosting.com (not the real name)
We have a LetsEncrypt cert issued forhttp://www.example.com .
The cert wasn?t updating, but xymon did not alert , because xymon is apparently evaluating the CNAME and then checking the cert for hosting.com (which has a wildcard cert *.hosting.com)
How do we make xymon check the cert forhttp://www.example.com , other than writing our own script? I think this is a fairly common setup for hosted websites
(for a minute I thought about adding an A record but that would be wrong on multiple levels)
/home/xymon/server/etc/hosts.cfg has
x.x.x.x www.example.com # noconn httpstatus;http://www.example.com/;301; https://www.example.com
(where x.x.x.x is the actual IP)
Running xymon 4.3.30 on Alma 8
Thanks very much!
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
participants (5)
-
betsys@well.com
-
fabian.wendlandt@innowerk-it.de
-
henrik@hswn.dk
-
roland@spinnaker.de
-
ron.johnson1731@comcast.net