Uploaded image for project: 'Data Management'
  1. Data Management
  2. DM-11425

add ~60 day tls cert expiration monitoring checks

    Details

      Attachments

        Issue Links

          Activity

          Show
          athornton Adam Thornton added a comment - See https://www.monitoring-plugins.org/doc/man/check_http.html
          Hide
          jhoblitt Joshua Hoblitt added a comment -

          I can't figure out how to get check_http to ignore the HTTP status code while validating the x509 cert, which means the cert check is tied to auth/etc. working. I tend to lean towards several smaller tests even though it is less efficient – I don't think efficiency is a concern at our present scale.

          I've identified another check plugin that appears to be able to test only the x509 cert https://matteocorti.github.io/check_ssl_cert/

          [root@1c20c333e9ed /]# ./check_ssl_cert -H ci.lsst.codes -w 90 -c 60
          SSL_CERT OK - X.509 certificate '*.lsst.codes' from 'AlphaSSL CA - SHA256 - G2' valid until Sep  7 16:38:00 2018 GMT (expires in 398 days)|days=398;90;60;;
          

          It also has an ssl labs mode that might be useful as once a day/week check:

           
          [root@1c20c333e9ed /]# ./check_ssl_cert -H ci.lsst.codes -w 90 -c 60 --verbose --check-ssl-labs b
          expect not available
          timeout available (/usr/bin/timeout)
          found GNU date with timestamp support: enabling date computations
          downloading certificate to /tmp
          parsing the certificate file
          The certificate will expire in 398 day(s)
          Checking SSL Labs assestment
          SSL Labs cannot resolve the domain name
          Waiting 60 seconds
          Warning: no cached data by SSL Labs, check initiated
          Waiting 60 seconds
          SSL Labs grade: F
          SSL_CERT CRITICAL ci.lsst.codes: SSL Labs grade is F (instead of b)|days=398;90;60;; ssllabs=0%;;65
          
          

          what do you think?

          Show
          jhoblitt Joshua Hoblitt added a comment - I can't figure out how to get check_http to ignore the HTTP status code while validating the x509 cert, which means the cert check is tied to auth/etc. working. I tend to lean towards several smaller tests even though it is less efficient – I don't think efficiency is a concern at our present scale. I've identified another check plugin that appears to be able to test only the x509 cert https://matteocorti.github.io/check_ssl_cert/ [root @1c20c333e9ed /]# ./check_ssl_cert -H ci.lsst.codes -w 90 -c 60 SSL_CERT OK - X. 509 certificate '*.lsst.codes' from 'AlphaSSL CA - SHA256 - G2' valid until Sep 7 16 : 38 : 00 2018 GMT (expires in 398 days)|days= 398 ; 90 ; 60 ;; It also has an ssl labs mode that might be useful as once a day/week check:   [root @1c20c333e9ed /]# ./check_ssl_cert -H ci.lsst.codes -w 90 -c 60 --verbose --check-ssl-labs b expect not available timeout available (/usr/bin/timeout) found GNU date with timestamp support: enabling date computations downloading certificate to /tmp parsing the certificate file The certificate will expire in 398 day(s) Checking SSL Labs assestment SSL Labs cannot resolve the domain name Waiting 60 seconds Warning: no cached data by SSL Labs, check initiated Waiting 60 seconds SSL Labs grade: F SSL_CERT CRITICAL ci.lsst.codes: SSL Labs grade is F (instead of b)|days= 398 ; 90 ; 60 ;; ssllabs= 0 %;; 65 what do you think?
          Hide
          jhoblitt Joshua Hoblitt added a comment -

          Changes requested on the GH PR to tidy the PR and not to break existing service configurations (in use or not).

          Show
          jhoblitt Joshua Hoblitt added a comment - Changes requested on the GH PR to tidy the PR and not to break existing service configurations (in use or not).
          Hide
          jhoblitt Joshua Hoblitt added a comment -

          I just got a suggestion from the #icinga irc channel to use the -e 403 option on check_http.

          Show
          jhoblitt Joshua Hoblitt added a comment - I just got a suggestion from the #icinga irc channel to use the -e 403 option on check_http .

            People

            • Assignee:
              athornton Adam Thornton
              Reporter:
              jhoblitt Joshua Hoblitt
              Reviewers:
              Joshua Hoblitt
              Watchers:
              Adam Thornton, Joshua Hoblitt
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Summary Panel