Comments on: Monitoring SSL certificate expiration with Nagios http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/ Storie, esperienze e pensieri da Dublino. Fri, 10 Feb 2012 07:25:37 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Bookmarks about Informatica http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-39284 Bookmarks about Informatica Wed, 29 Apr 2009 20:30:14 +0000 http://blog.angelofailla.com/?p=873#comment-39284 [...] - bookmarked by 2 members originally found by silvertear23 on 2009-04-01 Monitoring SSL certificate expiration with Nagios http://www.vitadiunsysadmin.net/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/ - [...]<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('39284','Bookmarks about Informatica'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('39284','Bookmarks about Informatica','[...] - bookmarked by 2 members originally found by silvertear23 on 2009-04-01 Monitoring SSL certificate expiration with Nagios http:\/\/www.vitadiunsysadmin.net\/2008\/07\/17\/monitoring-ssl-certificate-expiration-with-nagios\/ - [...]'); return false;">Quote</a></div> [...] – bookmarked by 2 members originally found by silvertear23 on 2009-04-01 Monitoring SSL certificate expiration with Nagios http://www.vitadiunsysadmin.net/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/ – [...]
ReplyQuote
]]> By: Recent URLs tagged Nagios - Urlrecorder http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-35781 Recent URLs tagged Nagios - Urlrecorder Mon, 09 Feb 2009 02:01:08 +0000 http://blog.angelofailla.com/?p=873#comment-35781 [...] Recent public urls tagged "nagios" → Monitoring SSL certificate expiration with Nagios [...]<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('35781','Recent URLs tagged Nagios - Urlrecorder'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('35781','Recent URLs tagged Nagios - Urlrecorder','[...] Recent public urls tagged \"nagios\" → Monitoring SSL certificate expiration with Nagios [...]'); return false;">Quote</a></div> [...] Recent public urls tagged “nagios” → Monitoring SSL certificate expiration with Nagios [...]
ReplyQuote
]]> By: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28091 pallotron Sat, 19 Jul 2008 07:50:42 +0000 http://blog.angelofailla.com/?p=873#comment-28091 si ok, rimane il fatto che pero' io li non posso mettere altri binari :P sembri quasi il mio collega <b>polacchio!</b> :D<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28091','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28091','pallotron','si ok, rimane il fatto che pero\' io li non posso mettere altri binari :P\r\n\r\nsembri quasi il mio collega <b>polacchio!<\/b> :D'); return false;">Quote</a></div> si ok, rimane il fatto che pero’ io li non posso mettere altri binari :P

sembri quasi il mio collega polacchio! :D

ReplyQuote
]]> By: Angelo http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28088 Angelo Sat, 19 Jul 2008 05:38:11 +0000 http://blog.angelofailla.com/?p=873#comment-28088 check http in effetti controlla di default la porta https (443), ma con il parametro -p ovviamente si può deviare verso qualsiasi porta quindi ad esempio: /usr/lib/nagios/plugins/check_http www.verisign.com -C 14 -p 80 CRITICAL - Cannot make SSL connection 5888:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583: CRITICAL - Cannot retrieve server certificate.<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28088','Angelo'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28088','Angelo','check http in effetti controlla di default la porta https (443), ma con il parametro -p ovviamente si può deviare verso qualsiasi porta quindi ad esempio:\r\n\/usr\/lib\/nagios\/plugins\/check_http www.verisign.com -C 14 -p 80\r\nCRITICAL - Cannot make SSL connection\r\n5888:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:\r\nCRITICAL - Cannot retrieve server certificate.'); return false;">Quote</a></div> check http in effetti controlla di default la porta https (443), ma con il parametro -p ovviamente si può deviare verso qualsiasi porta quindi ad esempio:
/usr/lib/nagios/plugins/check_http http://www.verisign.com -C 14 -p 80
CRITICAL – Cannot make SSL connection
5888:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:
CRITICAL – Cannot retrieve server certificate.
Replyhttp://www.verisign.com -C 14 -p 80\r\nCRITICAL – Cannot make SSL connection\r\n5888:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:\r\nCRITICAL – Cannot retrieve server certificate.’); return false;”>Quote
]]> By: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28074 pallotron Fri, 18 Jul 2008 21:30:35 +0000 http://blog.angelofailla.com/?p=873#comment-28074 ah talaltro check_http funziona solo con https... guarda: <pre> fenix# ./check_http -w 5 -c 10 --ssl -H mail.dyne.org -C 10 OK - Certificate will expire on 02/04/2009 19:45 </pre> ma tcpdump dice: <pre> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 23:48:17.876656 IP fenix.olocolors.org.54234 > tamarindo.dyne.org.https: S 2542887467:2542887467(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1289231354 0,sackOK,eol> </pre> quindi non ho scritto proprio qualcosa di inutile...<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28074','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28074','pallotron','ah talaltro check_http funziona solo con https... guarda:\r\n\r\n<pre>\r\nfenix# .\/check_http -w 5 -c 10 --ssl -H mail.dyne.org -C 10\r\nOK - Certificate will expire on 02\/04\/2009 19:45\r\n<\/pre>\r\n\r\nma tcpdump dice:\r\n\r\n<pre>\r\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\r\nlistening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes\r\n23:48:17.876656 IP fenix.olocolors.org.54234 > tamarindo.dyne.org.https: S 2542887467:2542887467(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1289231354 0,sackOK,eol>\r\n<\/pre>\r\n\r\nquindi non ho scritto proprio qualcosa di inutile...'); return false;">Quote</a></div> ah talaltro check_http funziona solo con https… guarda:

fenix# ./check_http -w 5 -c 10 --ssl -H mail.dyne.org -C 10
OK - Certificate will expire on 02/04/2009 19:45

ma tcpdump dice:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
23:48:17.876656 IP fenix.olocolors.org.54234 > tamarindo.dyne.org.https: S 2542887467:2542887467(0) win 65535

quindi non ho scritto proprio qualcosa di inutile…

ReplyQuote
]]> By: Ale http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28073 Ale Fri, 18 Jul 2008 21:26:09 +0000 http://blog.angelofailla.com/?p=873#comment-28073 Ah, adesso ho visto dove sta l'icona del rss...lol<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28073','Ale'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28073','Ale','Ah, adesso ho visto dove sta l\'icona del rss...lol'); return false;">Quote</a></div> Ah, adesso ho visto dove sta l’icona del rss…lol
ReplyQuote
]]> By: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28071 pallotron Fri, 18 Jul 2008 21:24:00 +0000 http://blog.angelofailla.com/?p=873#comment-28071 ok thanks, il problema e' che nell'ambiente io cui lavoravo io c'e' una versione dei plugin nagios purgata di tutto. e check_http e' un binario C compilato, che in quella installazione non esiste :D quindi cari lettori, dite grazie al mio omonimo. comunque per dare un servizio migliore ai lettori il comando giusto e' per esempio: <pre> fenix# ./check_http -w 5 -c 10 --ssl -Hwww.verisign.com -C 10 OK - Certificate will expire on 05/08/2009 23:59. </pre> dove C indica il numero di giorni. <blockquote> This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. Examples: CHECK CONTENT: check_http -w 5 -c 10 --ssl -H www.verisign.com When the 'www.verisign.com' server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned. CHECK CERTIFICATE: check_http -H www.verisign.com -C 14 When the certificate of 'www.verisign.com' is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired. </blockquote><div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28071','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28071','pallotron','ok thanks,\r\nil problema e\' che nell\'ambiente io cui lavoravo io c\'e\' una versione dei plugin nagios purgata di tutto. e check_http e\' un binario C compilato, che in quella installazione non esiste :D\r\n\r\nquindi cari lettori, dite grazie al mio omonimo.\r\ncomunque per dare un servizio migliore ai lettori il comando giusto e\' per esempio:\r\n\r\n<pre>\r\nfenix# .\/check_http -w 5 -c 10 --ssl -Hwww.verisign.com -C 10\r\nOK - Certificate will expire on 05\/08\/2009 23:59.\r\n<\/pre>\r\n\r\ndove C indica il numero di giorni.\r\n\r\n<blockquote>\r\nThis plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days.\r\nExamples: \r\n\r\nCHECK CONTENT: check_http -w 5 -c 10 --ssl -H www.verisign.com\r\n\r\nWhen the \'www.verisign.com\' server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.\r\n\r\nCHECK CERTIFICATE: check_http -H www.verisign.com -C 14\r\n\r\nWhen the certificate of \'www.verisign.com\' is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired.\r\n<\/blockquote>'); return false;">Quote</a></div> ok thanks,
il problema e’ che nell’ambiente io cui lavoravo io c’e’ una versione dei plugin nagios purgata di tutto. e check_http e’ un binario C compilato, che in quella installazione non esiste :D

quindi cari lettori, dite grazie al mio omonimo.
comunque per dare un servizio migliore ai lettori il comando giusto e’ per esempio:

fenix# ./check_http -w 5 -c 10 --ssl -Hwww.verisign.com -C 10
OK - Certificate will expire on 05/08/2009 23:59.

dove C indica il numero di giorni.

This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days.
Examples:

CHECK CONTENT: check_http -w 5 -c 10 –ssl -H http://www.verisign.com

When the ‘www.verisign.com’ server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.

CHECK CERTIFICATE: check_http -H http://www.verisign.com -C 14

When the certificate of ‘www.verisign.com’ is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired.

Replyhttp://www.verisign.com\r\n\r\nWhen the \’www.verisign.com\’ server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.\r\n\r\nCHECK CERTIFICATE: check_http -H http://www.verisign.com -C 14\r\n\r\nWhen the certificate of \’www.verisign.com\’ is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired.\r\n<\/blockquote>’); return false;”>Quote
]]> By: Angelo http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28070 Angelo Fri, 18 Jul 2008 21:04:00 +0000 http://blog.angelofailla.com/?p=873#comment-28070 Veramente il check del certificato lo fa il check_http standard di Nagios :) basta fare check_http --help e viene fuori: check_http -w 5 -c 10 --ssl www.verisign.com<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28070','Angelo'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28070','Angelo','Veramente il check del certificato lo fa il check_http standard di Nagios :) basta fare check_http --help e viene fuori:\r\n\r\ncheck_http -w 5 -c 10 --ssl www.verisign.com'); return false;">Quote</a></div> Veramente il check del certificato lo fa il check_http standard di Nagios :) basta fare check_http –help e viene fuori:

check_http -w 5 -c 10 –ssl http://www.verisign.com

Replyhttp://www.verisign.com‘); return false;”>Quote
]]> By: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28069 pallotron Fri, 18 Jul 2008 20:10:13 +0000 http://blog.angelofailla.com/?p=873#comment-28069 RISPOSTA ALL'OT: ah cettu! cu cu sta parannu! :D<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28069','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28069','pallotron','RISPOSTA ALL\'OT: ah cettu! cu cu sta parannu! :D'); return false;">Quote</a></div> RISPOSTA ALL’OT: ah cettu! cu cu sta parannu! :D
ReplyQuote
]]> By: barbylucedistelle http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28067 barbylucedistelle Fri, 18 Jul 2008 19:26:48 +0000 http://blog.angelofailla.com/?p=873#comment-28067 OT: direi che cambiare il server fu proprio una idea azzeccata<div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28067','barbylucedistelle'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28067','barbylucedistelle','OT: direi che cambiare il server fu proprio una idea azzeccata'); return false;">Quote</a></div> OT: direi che cambiare il server fu proprio una idea azzeccata
ReplyQuote
]]>