Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for.
Sample line: 0.0.0.0??? WebPage.com?? # https://webpage.com
Thank You, Kris Springer Systems Admin I/O Network Administration support at ionetworkadmin.com https://www.ionetworkadmin.com
On 8/28/23 16:46, Vernon Everett wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory" -?General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
I do the same (add https site to monitor), and the sslcert test populates itself, 2 weeks before expiration it goes yellow and 2-3 days before, it goes red.
SSL certificate for https://xxxxxxxxxxxxxx/ expires in 547 days
Server certificate: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com start date: 2023-02-27 17:04:27 GMT expire date:2025-02-26 17:04:27 GMT key size:4096 issuer:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signature algorithm: sha256WithRSAEncryption
Cipher used: ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
Gab
On Mon, Aug 28, 2023 at 10:12?PM IO Support <support at ionetworkadmin.com> wrote:
I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for.
Sample line: 0.0.0.0 WebPage.com # https://webpage.com
Thank You, Kris Springer Systems Admin I/O Network Administrationsupport at ionetworkadmin.comhttps://www.ionetworkadmin.com
On 8/28/23 16:46, Vernon Everett wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing listXymon at xymon.comhttp://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Little more on this...
35.171.79.170 host.foo.com # https://host.foo.com ssldays=22:15 #22 day warn with 15 day red
On Tue, Aug 29, 2023 at 10:39?AM Dito <dito74 at gmail.com> wrote:
I do the same (add https site to monitor), and the sslcert test populates itself, 2 weeks before expiration it goes yellow and 2-3 days before, it goes red.
SSL certificate for https://xxxxxxxxxxxxxx/ expires in 547 days
Server certificate: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com start date: 2023-02-27 17:04:27 GMT expire date:2025-02-26 17:04:27 GMT key size:4096 issuer:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signature algorithm: sha256WithRSAEncryption
Cipher used: ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
Gab
On Mon, Aug 28, 2023 at 10:12?PM IO Support <support at ionetworkadmin.com> wrote:
I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for.
Sample line: 0.0.0.0 WebPage.com # https://webpage.com
Thank You, Kris Springer Systems Admin I/O Network Administrationsupport at ionetworkadmin.comhttps://www.ionetworkadmin.com
On 8/28/23 16:46, Vernon Everett wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing listXymon at xymon.comhttp://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Hi all
Appreciate the responses, but I have more than 1 problem I am trying to solve.
- I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box.
- I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Was looking for some guidance on 2. And a magic bullet for 3. :-D
I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors But I am a bit rusty these days, and thought I'd lean on the community a little.
If I can't, I guess it's back to coding again. :-)
Regards Vernon
On Wed, 30 Aug 2023 at 02:48, Josh Luthman <josh at imaginenetworksllc.com> wrote:
Little more on this...
35.171.79.170 host.foo.com # https://host.foo.com ssldays=22:15 #22 day warn with 15 day red
On Tue, Aug 29, 2023 at 10:39?AM Dito <dito74 at gmail.com> wrote:
I do the same (add https site to monitor), and the sslcert test populates itself, 2 weeks before expiration it goes yellow and 2-3 days before, it goes red.
SSL certificate for https://xxxxxxxxxxxxxx/ expires in 547 days
Server certificate: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.com start date: 2023-02-27 17:04:27 GMT expire date:2025-02-26 17:04:27 GMT key size:4096 issuer:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx signature algorithm: sha256WithRSAEncryption
Cipher used: ECDHE-RSA-AES256-GCM-SHA384 (256 bits)
Gab
On Mon, Aug 28, 2023 at 10:12?PM IO Support <support at ionetworkadmin.com> wrote:
I just add the https://namehere.com test into my hosts.cfg file and it tests the http status and auto populates an sslcert column that shows the https info you're looking for.
Sample line: 0.0.0.0 WebPage.com # https://webpage.com
Thank You, Kris Springer Systems Admin I/O Network Administrationsupport at ionetworkadmin.comhttps://www.ionetworkadmin.com
On 8/28/23 16:46, Vernon Everett wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing listXymon at xymon.comhttp://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi all
Appreciate the responses, but I have more than 1 problem I am trying to solve.
- I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box.
- I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.
Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Was looking for some guidance on 2. And a magic bullet for 3. :-D
I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
LoL
But I am a bit rusty these days, and thought I'd lean on the community a little.
If I can't, I guess it's back to coding again. :-)
If you script something to solve problem 3, you probably get 95% of the way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so Ralph's idea won't work. However, the same can be achieved using curl or wget, with some kind of increase in verbosity to show TLS attributes. Also, curl can return special variables like "ssl_verify_result" if you could use that (a separate thing to certificate expiry), and useful return codes (60 = "Peer certificate cannot be authenticated with known CA certificates").
$ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=xymon.com start date: Aug 16 13:20:13 2023 GMT expire date: Nov 14 13:20:12 2023 GMT common name: xymon.com issuer: CN=R3,O=Let's Encrypt,C=US CURL RC=0
$ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated start date: Apr 09 00:00:00 2015 GMT expire date: Apr 12 23:59:59 2015 GMT common name: *.badssl.com issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CURL RC=60
Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to work through a proxy, but I could have used --proxy.
The expire date can be parsed into epoch seconds, compared with today's epoch seconds value, and then checked for expired, or expiring soon:
$ EXP=curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] &&
{ SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate expired on Apr 12 23:59:59 2015 GMT
$ EXP=curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] &&
{ SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT
$ EXP=curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] &&
{ SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ]
&& echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let
DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire
in under 60 days, on $EXP" || echo "Certificate age is OK (expires on
$EXP)"; } } || echo "Failed to get certificate"
Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)
J
Vernon,
See the attached script to monitor https sites via a proxy. You'd need to add the proxy to the Xymon server environment config, something like:
"PROXY=proxy.mydomain.com:8080"
or whatever is appropriate for curl at your site. Add an entry in tasks.cfg to kick the thing off:
chkhttps.sh server.domain.com https://server.domain.com/start.htm\It throws the site headers to the http column for server.domain.com and fakes the matching sslcert column.
It'll probably work, but your mileage may vary. I'm not sure if my site is still using it, but it looks like it hasn't required maintenance since about 2012, so either it's really solid or the need for it went away.
You could co-opt the second part to fake the sslcert column where you have a cert file and no server. It uses the verbose output from curl to access the certificate start/end dates and other info, so you'll need to alter that a bit to make it work with the "openssl x509" output I mentioned previously,
Ralph Mitchell
On Wed, Aug 30, 2023 at 1:35?AM Jeremy Laidman <jeremy at laidman.org> wrote:
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi all
Appreciate the responses, but I have more than 1 problem I am trying to solve.
- I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box.
- I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.
Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Was looking for some guidance on 2. And a magic bullet for 3. :-D
I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
LoL
But I am a bit rusty these days, and thought I'd lean on the community a little.
If I can't, I guess it's back to coding again. :-)
If you script something to solve problem 3, you probably get 95% of the way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so Ralph's idea won't work. However, the same can be achieved using curl or wget, with some kind of increase in verbosity to show TLS attributes. Also, curl can return special variables like "ssl_verify_result" if you could use that (a separate thing to certificate expiry), and useful return codes (60 = "Peer certificate cannot be authenticated with known CA certificates").
$ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=xymon.com start date: Aug 16 13:20:13 2023 GMT expire date: Nov 14 13:20:12 2023 GMT common name: xymon.com issuer: CN=R3,O=Let's Encrypt,C=US CURL RC=0
$ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated start date: Apr 09 00:00:00 2015 GMT expire date: Apr 12 23:59:59 2015 GMT common name: *.badssl.com issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CURL RC=60
Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to work through a proxy, but I could have used --proxy.
The expire date can be parsed into epoch seconds, compared with today's epoch seconds value, and then checked for expired, or expiring soon:
$ EXP=
curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate expired on Apr 12 23:59:59 2015 GMT$ EXP=
curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT$ EXP=
curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)J
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On Wed, 30 Aug 2023, Jeremy Laidman wrote:
Date: Wed, 30 Aug 2023 15:33:40 +1000 From: Jeremy Laidman <jeremy at laidman.org> To: Vernon Everett <everett.vernon at gmail.com> Cc: Xymon mailinglist <xymon at xymon.com> Subject: Re: [Xymon] SSL/TLS cert monitoring
On Wed, 30 Aug 2023 at 13:32, Vernon Everett <everett.vernon at gmail.com> wrote:
Hi all
Appreciate the responses, but I have more than 1 problem I am trying to solve.
- I need to monitor the certs on a few web sites. That's pretty easy, and works out of the box.
- I need to monitor the certs on a few web sites that are only reachable through the proxy. Not sure how to do that.
Alas, not out of the box. The man page for hosts.cfg says, "Note that it is not possible to test https-sites via a proxy".
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Was looking for some guidance on 2. And a magic bullet for 3. :-D
I could code something up to do item 3, but I was really hoping there would already be something that somebody could share. I used to code Xymon tests for breakfast back when The Dead Sea was only Somewhat Unwell. See here. https://wiki.xymonton.org/doku.php/monitors
LoL
But I am a bit rusty these days, and thought I'd lean on the community a little.
If I can't, I guess it's back to coding again. :-)
If you script something to solve problem 3, you probably get 95% of the way to solve problem 2. From what I can tell, OpenSSL cannot use a proxy, so Ralph's idea won't work. However, the same can be achieved using curl or wget, with some kind of increase in verbosity to show TLS attributes. Also, curl can return special variables like "ssl_verify_result" if you could use that (a separate thing to certificate expiry), and useful return codes (60 = "Peer certificate cannot be authenticated with known CA certificates").
$ { curl -Isv https://www.xymon.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=xymon.com start date: Aug 16 13:20:13 2023 GMT expire date: Nov 14 13:20:12 2023 GMT common name: xymon.com issuer: CN=R3,O=Let's Encrypt,C=US CURL RC=0
$ { curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null; echo "CURL RC=$?"; } | sed -n '/^CURL RC=/p;/^. Server certificate:/,/^>/{/^..[A-Z]/d;s/^...//;p}' subject: CN=*.badssl.com,OU=PositiveSSL Wildcard,OU=Domain Control Validated start date: Apr 09 00:00:00 2015 GMT expire date: Apr 12 23:59:59 2015 GMT common name: *.badssl.com issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CURL RC=60
Here, I'm relying on the appropriate settings of HTTPS_PROXY for these to work through a proxy, but I could have used --proxy.
The expire date can be parsed into epoch seconds, compared with today's epoch seconds value, and then checked for expired, or expiring soon:
$ EXP=
curl -Isv https://expired.badssl.com/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate expired on Apr 12 23:59:59 2015 GMT$ EXP=
curl -Isv https://www.xymonton.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate will expire in under 60 days, on Oct 16 13:36:15 2023 GMT$ EXP=
curl -Isv https://www.xymon.org/ 2>&1 >/dev/null | sed -n '/^. Server certificate:/,/^>/{/expire date:/ {s/^.*: //;p;q;}}'; [ "$EXP" ] && { SEC_E=date --date "$EXP" +%s; NOW_E=date +%s; [ $SEC_E -lt $NOW_E ] && echo "Certificate expired on $EXP" || { let SEC=$SEC_E-$NOW_E; let DAYSOLD=$SEC/60/60/24; [ $DAYSOLD -lt 60 ] && echo "Certificate will expire in under 60 days, on $EXP" || echo "Certificate age is OK (expires on $EXP)"; } } || echo "Failed to get certificate" Certificate age is OK (expires on Nov 24 04:47:18 2023 GMT)J
Another solution would be to run a xymonnet instance on the proxy server and report it back to the main xymond server. NET: in hosts.cfg can be used in this case.
On 30/08/2023 04:31, Vernon Everett wrote:
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Here's our perl script for doing this, though it uses a local "SuperHobbit" perl module which manages loading config files so it's not a case of just copy-pasting:
https://gitlab.developers.cam.ac.uk/-/snippets/238
As others have said, all that the script really does is run:
openssl x509 -in MY_CERTIFICATE.pem -noout -enddate
which'll output a single line like:
notAfter=Jul 4 23:59:59 2024 GMT
which is then parsed by perl's str2time() (other date parsing options exist, of course. Thanks to Ralph for pointing out the -dateopt option which I didn't know about, though unfortunately that's not available in the version of openssl as provided by Ubuntu 20.04)
I looked quickly at reimplementing this in python using the standard python 'crytography' package, but that started to open up cans of worms around version dependencies and how we could make a suitable version of the package available, so I've mentally stalled that idea for now.
Adam
It took a bit of faffing about, but it all came back to me. Eventually. :-)
Here it is, if it's of any use to you. And if you spot any bugs, please give me a shout.
#!/bin/bash
export PATH=/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin export CERT_DIR='/etc/pki/tls/certs' export EPOCH_DAY='86400' export TODAY="$(date +%s)" export STATUS='green' export TEMPFILE=$BBTMP/localcert.$$
date > $TEMPFILE
For every cert we have...
for CERT in $(find ${CERT_DIR}/*.crt)
do
LCOL='green'
EXPIRE=$(openssl x509 -in ${CERT} -noout -dates 2>/dev/null | awk
-F= '/^notAfter/ { print $2; exit }')
EXP_EPOCH=date -d"$EXPIRE" +%s
SECS2GO=expr $EXP_EPOCH - $TODAY
DAYS2GO=expr $SECS2GO / $EPOCH_DAY
if [ $DAYS2GO -le 30 -a $STATUS != "red" ]
then
export STATUS='yellow'
LCOL='yellow'
fi
if [ $DAYS2GO -le 15 ]
then
export STATUS='red'
LCOL='red'
fi
echo "&$LCOL Expires in $DAYS2GO days, on $EXPIRE $CERT" >> $TEMPFILE
done
$XYMON $XYMSRV "status $MACHINE.localcerts $STATUS $(cat $TEMPFILE)"
rm $TEMPFILE 2>/dev/null
On Wed, 30 Aug 2023 at 18:21, Adam Thorn <alt36 at cam.ac.uk> wrote:
On 30/08/2023 04:31, Vernon Everett wrote:
- I have a few certs local to my client that I need to keep an eye on too. But these are used by applications, and are not related to a web page, so effectively I need to to keep tabs on /foo/bar/cert
Here's our perl script for doing this, though it uses a local "SuperHobbit" perl module which manages loading config files so it's not a case of just copy-pasting:
https://gitlab.developers.cam.ac.uk/-/snippets/238
As others have said, all that the script really does is run:
openssl x509 -in MY_CERTIFICATE.pem -noout -enddate
which'll output a single line like:
notAfter=Jul 4 23:59:59 2024 GMT
which is then parsed by perl's str2time() (other date parsing options exist, of course. Thanks to Ralph for pointing out the -dateopt option which I didn't know about, though unfortunately that's not available in the version of openssl as provided by Ubuntu 20.04)
I looked quickly at reimplementing this in python using the standard python 'crytography' package, but that started to open up cans of worms around version dependencies and how we could make a suitable version of the package available, so I've mentally stalled that idea for now.
Adam
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
I've done this before, but I don't think I still have the script. If you want to mimic the sslcert column for some random SSL certificate file and send it to Xymon, this:
openssl x509 -noout -in my_server.crt -subject -startdate -enddate -issuer
-dateopt iso_8601 |
sed -e 's/notBefore=/start date: /' -e 's/notAfter=/expire date:/'
gets you a block that looks something like the sslcert column:
subject=CN = My Server Cert start date: 2021-01-05 03:57:33Z expire date:2025-01-05 03:57:33Z issuer=CN = Some Random CA
You can do some date math on the expiry date to determine when it expires, and then construct a message to send to Xymon.
I'll poke around and see if I can dig up my script.
Ralph Mitchell
On Mon, Aug 28, 2023 at 6:47?PM Vernon Everett <everett.vernon at gmail.com> wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Ralph's approach is probably the best.
Note to others who have kindly provided suggestions in this thread: the key requirement is to check a certificate *file* (eg mycert.cer), not a certificate used by a website or any networked service. There's no SSL/TLS involved here, so the https test won't work. Certs are used for more than just websites. An example of this might be a certificate file that's used to sign a logfile after rotation, so that the log's veracity can be verified later, for forensics. The https test is not suitable to check a file, only a website or other SSL/TLS endpoint.
An alternative to Ralph's idea that might work, and requires no scripting, might be to configure the webserver used by Xymon so that the certificate files are somehow exposed and used in a TLS interaction, and thus become testable by the Xymonnet https test. I imagine each cert file would need to be configured in a snippet of the Apache (if that's the webserver) config file, so that each cert is used to protect a subset of the website. A bit messy, and probably a challenge to maintain, but it could probably be done without scripting. Similarly, you could run an instance of stunnel for each cert file, each on a different port (if multiple files exist on a host).
If it were me, I'd use Ralph's idea in a script, and simulate the message that xymonnet would send for a cert used for a website.
On Tue, 29 Aug 2023 at 12:19, Ralph M <ralphmitchell at gmail.com> wrote:
I've done this before, but I don't think I still have the script. If you want to mimic the sslcert column for some random SSL certificate file and send it to Xymon, this:
openssl x509 -noout -in my_server.crt -subject -startdate -enddate -issuer -dateopt iso_8601 |
sed -e 's/notBefore=/start date: /' -e 's/notAfter=/expire date:/'gets you a block that looks something like the sslcert column:
subject=CN = My Server Cert start date: 2021-01-05 03:57:33Z expire date:2025-01-05 03:57:33Z issuer=CN = Some Random CA
You can do some date math on the expiry date to determine when it expires, and then construct a message to send to Xymon.
I'll poke around and see if I can dig up my script.
Ralph Mitchell
On Mon, Aug 28, 2023 at 6:47?PM Vernon Everett <everett.vernon at gmail.com> wrote:
Hi all
Haven't been using Xymon for many years, but I now have a small client looking for a lightweight and cost-effective (free) monitoring solution, and Zymon fitted the bill.
Most of the config and setup is coming back to me, but I'm a little stuck on certs. Some certs I can point Xymon directly to the URL, and I get the response I want. Others are (multiple) certs on my Xymon client server, not related to a URL, but used by applications. I cannot remember how we configure those to check for expiration.
Any tips appreciated.
Regards Vernon
--
"Accept the challenges so that you can feel the exhilaration of victory"
- General George Patton
"Don't find fault. Find a remedy"
- Henry Ford
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
Xymon mailing list Xymon at xymon.com http://lists.xymon.com/mailman/listinfo/xymon
On 29.08.23 00:46, Vernon Everett wrote:
I cannot remember how we configure those to check for expiration.
Hi Vernon,
if you can reach them via tcp to do a TLS-handshake, something like this
in the /etc/xymon/protocols.cfg might be the solution:
?[ntske] ?? options ssl ??? port 4460
Path's might differ in non Debian based setups. ;-)
Otherwise the certificates can be checked with client side plugins. This also works for certificates used as client certificate in some applications.
Kind regards
??? Lars
-- Lars Kollstedt
Telefon: +49 6151 16-71027 E-Mail: lk at man-da.de
man-da.de GmbH Dolivostra?e 11 64293 Darmstadt
Sitz der Gesellschaft: Darmstadt Registergericht: Amtsgericht Darmstadt Handelsregisternummer: HRB 9484 Gesch?ftsf?hrer: Andreas Ebert
participants (9)
-
alt36@cam.ac.uk
-
dito74@gmail.com
-
everett.vernon@gmail.com
-
jeremy@laidman.org
-
josh@imaginenetworksllc.com
-
lk@man-da.de
-
nuitari@nuitari.net
-
ralphmitchell@gmail.com
-
support@ionetworkadmin.com