Best way to check ssl cert validation


(Ben Hartwich) #1


I try to check the validation of a ssl cert (letsencrypt) and used the ssl check:

object Service "ssl" {
    host_name                         = "Test"
    vars.ssl_sni                 = true
    vars.ssl_port                     = "443"
    vars.ssl_cert_valid_days_warn     = "7"
    vars.ssl_cert_valid_days_critical = "2"
    check_command                     = "ssl"

This setting doesn´t work, because the sni attribute seems to broken since the latest update for the monitoring-plugins package in Debian delivers an outdated version of this ssl check. My goal is to verify, that a specific hostname is checked for cert validation.

Which other possibilities / patchworks can I use?


You can use the http CheckCommand, look at the http_certificate attribute.


(Carsten Köbke) #3

tcp could also do it.


But tcp and ssl (which is check_tcp under the hood) don’t support SNI.

(Ben Hartwich) #6

No, this setting loads the first available cert like ssl check does. The docu says: “When this option is used the URL is not checked”. So I cannot use it.


Did you also set the http_sni and http_vhost attribute?

When this option is used the URL is not checked.

Means that the http_uri attribute is not considered.

(Carsten Köbke) #8

I should read more carefully :slight_smile: You can try then

(Ben Hartwich) #9

Thanks. The solution in overview:

object Service "https" {
    host_name           = "Test"
    vars.http_uri = "/"
    vars.http_vhost = ""
    vars.http_certificate = "7,2"
    vars.http_sni = true
    vars.http_ssl = true
    vars.http_onredirect = "follow"
    check_command = "http"