Rodger Keesee

SSL Cert expiration alerting

Recommended Posts

Some other monitoring tools provide SSL certificate monitoring to alert for expiring certs. Really wish LogicMonitor had this. +1 if I could use a collector to monitor for private SSL certs that aren't accessible publicly (like for RDS and the like). 

  • Upvote 2

Share this post


Link to post
Share on other sites

Hi Rodger -

LogicMonitor does indeed monitor and alert on SSL Cert Expiration.

Look for the datasource named "SSLCerts-", change the Applies To field contents to "true()", and possibly update the Port # List field to contain a comma-separated list of SSL-ized ports on which it should test. This will scan the specified ports across all devices and apply SSL Cert monitoring accordingly

Newer versions of this datasource have been updated accordingly, so you could alternately just pull down the most recent version from the mothership.

 

Share this post


Link to post
Share on other sites
On 5/9/2016 at 4:17 PM, Rodger Keesee said:

Wuut! I searched the documentation (and the forums) and found no mention of this awesomeness. I'll try it out immediately. 

 

Matt is right, there is a simple SSLCerts- DS in the repository.  For us, we needed to have a DS with multiple SSL instances and Active Discovery, since our servers have multiple websites/certificates.  There are a few ways do to this. I wrote an Active Discovery script in groovy that SNMP Walk IP-MIB::ipAdEntAddr and IP-MIB::ipConnState of the server to automatically find websites based on common SSL Ports (We only use 443), then return the list for monitoring.  We then built a dataPoint to fire when the number of days remaining on the given cert is 60 days or less.

  • Upvote 1

Share this post


Link to post
Share on other sites

The current DS is nice, but is limited.  It would be very nice to support SNI and alternate IPs (as mentioned above). .  This requires we provide a list of certificates to check for, of course, but it should be possible.   I suppose this can be done via properties, just need to play with it a bit in Groovy.  Multiline properties would make that easier to manage I imagine.

I have also noted that for graphs used in dashboards, we want to be able to select the "Bottom 10" not "Top 10".  Worked around it by limiting the display to a max of 90 days, but still awkward.  Being able to specify the sort order for datapoints subject to Top 10 would be a generally good addition.

Regards,

Mark

Share this post


Link to post
Share on other sites

It also appears the SSL cert check only examines when the cert is expiring, not if it has been revoked. Ideally a revocation check would be part of the datasource. 

Jim

Share this post


Link to post
Share on other sites

Since this does not seem to be getting much attention and it is a critical check to have, I am working from examples that use javax.net.ssl.* to cook up my own check that will allow manual instance FQDN/IP/port specifications (needed for SNI since it is not possible to discover all the certificates on an IP in general) and will workaround the continued lack of "Bottom N" graphing by assigning a "lifetime used" score to the certificate based on expiration, so <= 0 will be 100% used and > 0 will be smaller.  This will allow identification of the smallest lifetime certificates within the LM graphing framework.   It used to be possible to view the certificates expiring soon by setting a graph maximum value, but that no longer works, sadly.

Once I get this working, will update....

Thanks,

Mark

 

Share this post


Link to post
Share on other sites
12 minutes ago, mnagel said:

Since this does not seem to be getting much attention and it is a critical check to have, I am working from examples that use javax.net.ssl.* to cook up my own check that will allow manual instance FQDN/IP/port specifications (needed for SNI since it is not possible to discover all the certificates on an IP in general) and will workaround the continued lack of "Bottom N" graphing by assigning a "lifetime used" score to the certificate based on expiration, so <= 0 will be 100% used and > 0 will be smaller.  This will allow identification of the smallest lifetime certificates within the LM graphing framework.   It used to be possible to view the certificates expiring soon by setting a graph maximum value, but that no longer works, sadly.

Once I get this working, will update....

Thanks,

Mark

 

If you're using NET-SNMPd you can use IP-MIB::ipAdEntAddr and IP-MIB::ipConnState to obtain IPs and Port numbers that are in LISTEN state.  The rest is pretty straight forward.

Share this post


Link to post
Share on other sites
4 minutes ago, Jessie Bryan said:

If you're using NET-SNMPd you can use IP-MIB::ipAdEntAddr and IP-MIB::ipConnState to obtain IPs and Port numbers that are in LISTEN state.  The rest is pretty straight forward.

 

That could help in some cases, but not in general.  With modern servers, SNI can allow many certificates on one IP.  I don't know of any remote check that provides that information in general.  SNMP is not necessarily available on all monitored platforms, but if it provided that detail, I would use it of course.  I see no solution offhand other than to manually define instances as described.  My current work in progress output is below -- I still need to figure out how to tell the constructor to specify the FQDN and IP separately.

[mnagel@colby ~]$ groovy getCert.groovy www.google.com 443
  Birth: Wed Apr 05 10:04:11 PDT 2017
  Death: Wed Jun 28 09:56:00 PDT 2017
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
 Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
   Remaining Days: 69
Lifetime Consumed: 18.1%

The last value is the one we will care about -- that will allow graphs to show the top 10 or top 25 soon-to-expire certificates again, which is impossible now without negating the remaining days value and having to explain why that looks so weird :).

Thanks,

Mark

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now