Best way to check ssl cert validation

icinga2
check

(Ben Hartwich) #1

Hi,

I try to check the validation of a ssl cert (letsencrypt) and used the ssl check:

object Service "ssl" {
    host_name                         = "Test"
    vars.ssl_sni                 = true
    vars.ssl_port                     = "443"
    vars.ssl_cert_valid_days_warn     = "7"
    vars.ssl_cert_valid_days_critical = "2"
    check_command                     = "ssl"
}

This setting doesn´t work, because the sni attribute seems to broken since the latest update for the monitoring-plugins package in Debian delivers an outdated version of this ssl check. My goal is to verify, that a specific hostname is checked for cert validation.

Which other possibilities / patchworks can I use?


#2

You can use the http CheckCommand, look at the http_certificate attribute.

https://www.icinga.com/docs/icinga2/latest/doc/10-icinga-template-library/#http

Cheers
Michael


(Carsten Köbke) #3

tcp could also do it.
https://www.icinga.com/docs/icinga2/latest/doc/10-icinga-template-library/#tcp


#4

But tcp and ssl (which is check_tcp under the hood) don’t support SNI.

https://www.monitoring-plugins.org/doc/man/check_tcp.html


(Ben Hartwich) #6

No, this setting loads the first available cert like ssl check does. The docu says: “When this option is used the URL is not checked”. So I cannot use it.


#7

Did you also set the http_sni and http_vhost attribute?

When this option is used the URL is not checked.

Means that the http_uri attribute is not considered.


(Carsten Köbke) #8

I should read more carefully :slight_smile: You can try then https://github.com/matteocorti/check_ssl_cert


(Ben Hartwich) #9

Thanks. The solution in overview:

object Service "https" {
    host_name           = "Test"
    vars.http_uri = "/"
    vars.http_vhost = "test.de"
    vars.http_certificate = "7,2"
    vars.http_sni = true
    vars.http_ssl = true
    vars.http_onredirect = "follow"
    check_command = "http"
}