Purnadi K

Simple Check for SSL Cert Expiration Monitoring

Recommended Posts

Monitoring SSL Certificate expiry days can be done in LogicMonitor by making use of datasource SSLCerts- (SSL Certificate Expiration). On the side note, SSL Certificate is used for certifying a web server that does the secured socket layer data encryption between a web server and a client (web browser). SSL Certificate is issued by several organizations/companies so called Certificate Authority (CA) for the purpose of providing the legitimacy of the web servers that encrypt the data for communication. The certificates issued will be digitally-signed by those CA and can be trusted by the client based on Root Certificates installed in the common browsers. It is, however, possible to create a self-signed certificate, which in this case is used for a testing purpose. Data will still be encrypted but the certificate will not be trusted by the client browsers.

When a device with SSL Cert installed has been added to LogicMonitor, rightfully that datasource will be auto-applied, as with other normal datasources, and after some collection cycles, the data of the certificate remaining days to expire should appear. Under the circumstances whereby the monitoring does not work as per normal, common recommendation will be to go through the following simple procedures:

          1) Device check, whether or not the SSL Certification has been configured properly

          2) Accessibility from collector

          3) Data collection test from collector

 

1) For a start is to check if the SSL certificate configuration is properly done in the web server

- Each web server may have a different way of setting up the certificate, the following is an example for NGINX & IIS:

ssl_certificate "/etc/cert/nginx/private/[cert name].crt";
ssl_certificate_key "/etc/cert/nginx/private/[cert name].key";

windows_cert_config_jpg_-_Google_Drive.jpg.6bd8d719c4b94ab4f962124b0e13e6f6.jpg

- An open port check would be good as well with below output from the check (note: port is bound to any interfaces or possibly only one interface on the web server):

Linux: 

tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN

Windows:

TCP    0.0.0.0:443            0.0.0.0:0              LISTENING

2) The next check will be to access the web server from the collector (obviously the collector must be able to reach to the device where the web server is installed):

Note: Collector debug window is needed for this check, please refer to this article: https://www.logicmonitor.com/support/settings/collectors/using-the-collector-debug-facility/

- the main command is simply: !http (help !http will give info for the command itself)

$ !http https://10.13.13.9
HTTP response received at at: 2017-03-26 16:28:55.581. Time elapsed: 20ms
HTTP/1.1 200 OK
Server: nginx/1.10.2
Date: Sun, 26 Mar 2017 08:28:55 GMT
Content-Type: text/html
Content-Length: 5948
Last-Modified: Wed, 04 Jan 2017 08:44:56 GMT
Connection: keep-alive
ETag: "586cb608-173c"
Accept-Ranges: bytes

It shows that the web server is accessible at port 443 (HTTPS) with response code 200  as follows:

http_from_collector_jpg_-_Google_Drive.thumb.jpg.a5b473195a805b18e90f32808e818a42.jpg

3) The last one will be to check if data can be collected from the collector which is the remaining days to the expiry of the certificate. Collector debug window is still needed for this check.

For Linux collector:

$ !java -cp ../lib/certexpire.jar CertificateExpire /usr/local/logicmonitor/agent 10.13.13.9   10.13.13.9   443  true
Enable debug SSL cert
Get the support protocol, protocols=SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2,
Get the enabled protocol, protocols=TLSv1,TLSv1.1,TLSv1.2,
Try to send request to server.
Request send ...
TrustManager: checkServerTrusted got 1 certs. Auth type: ECDHE_RSA
Exception caught - java.security.cert.CertificateException: Certificate received.
    Certification 1 [Type: X.509]
        Issue Date: Mon Jan 02 17:51:51 SGT 2017, Expiration Date: Sat Jul 01 17:51:51 SGT 2017
Got issue date - Mon Jan 02 17:51:51 SGT 2017, expiration date - Sat Jul 01 17:51:51 SGT 2017
97

 

For Windows collector:

$ !java -cp ../lib/certexpire.jar CertificateExpire "C:\Program Files (x86)\LogicMonitor\Agent" fspk.lmsupport.com fspk.lmsupport.com 443 true
Enable debug SSL cert
Get the support protocol, protocols=SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2,
Get the enabled protocol, protocols=TLSv1,TLSv1.1,TLSv1.2,
Try to send request to server.
Request send ...
TrustManager: checkServerTrusted got 1 certs. Auth type: DHE_RSA
Exception caught - java.security.cert.CertificateException: Certificate received.
    Certification 1 [Type: X.509]
        Issue Date: Thu Feb 02 03:16:57 PST 2017, Expiration Date: Sat Feb 02 03:16:57 PST 2019
Got issue date - Thu Feb 02 03:16:57 PST 2017, expiration date - Sat Feb 02 03:16:57 PST 2019
660

- The basic command is: !java and complete format would be: 

!java -cp ../lib/certexpire.jar CertificateExpire [collector installation folder] [device name/IP address]   [device name/IP address]   443 true 

Note:

* certexpire.jar is in the library of the collector agent

* device name/IP address is the web server that is registered/added into the LogicMonitor portal

* collector folder is: either "C:\Program Files (x86)\LogicMonitor\Agent" or /usr/local/logicmonitor/agent

The data collected can be verified on the device where the SSL Certificate is installed by accessing the web server in the browser and view the detail of the certificate loaded in the browser as follows:

ssl_cert_browser_jpg_-_Google_Drive.jpg.09d095fd10613301e8645e244eaec736.jpg

Having gone through all the above-mentioned checks and the results are good, it will produce this monitoring in LogicMonitor as follows:

SSL_monitoring_logicmonitor_png_-_Google_Drive.thumb.jpg.7fe0f70915d69de71baab9db7e1355a7.jpg

Share this post


Link to post
Share on other sites
Guest Kaushal

Can we use this to monitor SSL Certs on AWS ELB's discovered by Cloudwatch plugin? If not is there any way to monitor SSL certs on the ELB's using logicmonitor.

Share this post


Link to post
Share on other sites

hi Anil, I have a doubt since SHA1 is slowly losing proponents due to its security flaw (& our collectors are more and more equipped with latest security patch :).You can try though, any device in your portal to test?

Please don't tell me here :) You can open an email ticket to inform me the device and I will test it out. 

Edited by Purnadi K

Share this post


Link to post
Share on other sites
Guest Rey Mijares

Is it possible to add for this script to retrieve more info from the cert, like all the details that you are showing in the screenshot above?

Share this post


Link to post
Share on other sites

If you're monitoring a windows environment, you may have another DS in your deployment "WinCertCheck" that is turned off by default.  I have another thread on this forum with the changes that need to be made to make it work correctly, then just set it ti isWIndows() instead of false() in your appliesTo and you'll get a bit more data that allows for better diagnostics.  It's MUCH more aggressive about finding certs on your systems than the SSL DS is... so bear that in mind, you'll need to take a while turning off certs that you don't need to monitor.  At scale, this can be cumbersome.  I'm working on a script that will help alleviate that part... (i.e. stop alerting on all instances with a given thumbprint).

Share this post


Link to post
Share on other sites

I've lightened the load slightly on the winCertCheck (which is technically no longer the same DS as I've replaced the entirety of the scripts with simplified .NET based powershell scripts to avoid using invoke-command which tends to lead to some resource constraint issues.  This should help though, will keep the same instances alive from the old code as the output is identical to the previous version by @Jonathan Arnold:

##--------------- Discovery ------------------##
$readOnly     = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
$localMachine = [System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
$store        = new-object System.Security.Cryptography.X509Certificates.X509Store( "\\##SYSTEM.SYSNAME##\root", $localMachine )

$store.Open( $readOnly )

$store.Certificates `
| Select-Object {$_.Thumbprint + "##" + $_.Thumbprint + "##" + $_.Subject + $_.FriendlyName} `
| Format-Table -HideTableHeaders
##--------------------------------------------##
##-------------- Counters --------------------##
$readOnly     = [System.Security.Cryptography.X509Certificates.OpenFlags]"ReadOnly"
$localMachine = [System.Security.Cryptography.X509Certificates.StoreLocation]"LocalMachine"
$store        = new-object System.Security.Cryptography.X509Certificates.X509Store( "\\##SYSTEM.SYSNAME##\root", $localMachine )

$store.Open( $readOnly )

$store.Certificates `
| Where-Object {($_.Thumbprint -like "##WILDVALUE##")} `
| Select-Object @{
	Name       = "DaysUntilExpire"
	Expression = {((Get-Date -Date $_.NotAfter) - (Get-Date)).Days}
} `
| Format-List
##--------------------------------------------##

(please note the line continuations to help readability of the code)

As always, neither I nor Beyond Impact warranty this code.  It's working in our environment, I can't guarantee it'll work in yours.  This doesn't account for anything that needs credentials other than what the collector uses.

Edited by Cole McDonald
addendum

Share this post


Link to post
Share on other sites
Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.