Commenti a: Monitoring SSL certificate expiration with Nagios http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/ Storie, esperienze e pensieri da Dublino. Tue, 24 Aug 2010 22:16:36 +0000 hourly 1 http://wordpress.org/?v=3.0.1 Di: Bookmarks about Informatica http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-39284 Bookmarks about Informatica Wed, 29 Apr 2009 20:30:14 +0000 http://blog.angelofailla.com/?p=873#comment-39284 <p>[...] - bookmarked by 2 members originally found by silvertear23 on 2009-04-01 Monitoring SSL certificate expiration with Nagios http://www.vitadiunsysadmin.net/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/ - [...]</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('39284','Bookmarks about Informatica'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('39284','Bookmarks about Informatica','<p>[...] - bookmarked by 2 members originally found by silvertear23 on 2009-04-01 Monitoring SSL certificate expiration with Nagios http:\/\/www.vitadiunsysadmin.net\/2008\/07\/17\/monitoring-ssl-certificate-expiration-with-nagios\/ - [...]<\/p>\n'); return false;">Quote</a></div> [...] – bookmarked by 2 members originally found by silvertear23 on 2009-04-01 Monitoring SSL certificate expiration with Nagios http://www.vitadiunsysadmin.net/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/ – [...]

ReplyQuote
]]> Di: Recent URLs tagged Nagios - Urlrecorder http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-35781 Recent URLs tagged Nagios - Urlrecorder Mon, 09 Feb 2009 02:01:08 +0000 http://blog.angelofailla.com/?p=873#comment-35781 <p>[...] Recent public urls tagged "nagios" → Monitoring SSL certificate expiration with Nagios [...]</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('35781','Recent URLs tagged Nagios - Urlrecorder'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('35781','Recent URLs tagged Nagios - Urlrecorder','<p>[...] Recent public urls tagged \"nagios\" → Monitoring SSL certificate expiration with Nagios [...]<\/p>\n'); return false;">Quote</a></div> [...] Recent public urls tagged “nagios” → Monitoring SSL certificate expiration with Nagios [...]

ReplyQuote
]]> Di: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28091 pallotron Sat, 19 Jul 2008 07:50:42 +0000 http://blog.angelofailla.com/?p=873#comment-28091 <p>si ok, rimane il fatto che pero' io li non posso mettere altri binari :P</p> <p>sembri quasi il mio collega <b>polacchio!</b> :D</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28091','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28091','pallotron','<p>si ok, rimane il fatto che pero\' io li non posso mettere altri binari :P<\/p>\n\n<p>sembri quasi il mio collega <b>polacchio!<\/b> :D<\/p>\n'); return false;">Quote</a></div> si ok, rimane il fatto che pero’ io li non posso mettere altri binari :P

sembri quasi il mio collega polacchio! :D

ReplyQuote
]]> Di: Angelo http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28088 Angelo Sat, 19 Jul 2008 05:38:11 +0000 http://blog.angelofailla.com/?p=873#comment-28088 <p>check http in effetti controlla di default la porta https (443), ma con il parametro -p ovviamente si può deviare verso qualsiasi porta quindi ad esempio: /usr/lib/nagios/plugins/check<em>http www.verisign.com -C 14 -p 80 CRITICAL - Cannot make SSL connection 5888:error:140770FC:SSL routines:SSL23</em>GET<em>SERVER</em>HELLO:unknown protocol:s23_clnt.c:583: CRITICAL - Cannot retrieve server certificate.</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28088','Angelo'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28088','Angelo','<p>check http in effetti controlla di default la porta https (443), ma con il parametro -p ovviamente si può deviare verso qualsiasi porta quindi ad esempio:\n\/usr\/lib\/nagios\/plugins\/check<em>http www.verisign.com -C 14 -p 80\nCRITICAL - Cannot make SSL connection\n5888:error:140770FC:SSL routines:SSL23<\/em>GET<em>SERVER<\/em>HELLO:unknown protocol:s23_clnt.c:583:\nCRITICAL - Cannot retrieve server certificate.<\/p>\n'); return false;">Quote</a></div> check http in effetti controlla di default la porta https (443), ma con il parametro -p ovviamente si può deviare verso qualsiasi porta quindi ad esempio:
/usr/lib/nagios/plugins/checkhttp http://www.verisign.com -C 14 -p 80
CRITICAL – Cannot make SSL connection
5888:error:140770FC:SSL routines:SSL23GETSERVERHELLO:unknown protocol:s23_clnt.c:583:
CRITICAL – Cannot retrieve server certificate.

Replyhttp://www.verisign.com -C 14 -p 80\nCRITICAL – Cannot make SSL connection\n5888:error:140770FC:SSL routines:SSL23<\/em>GET<em>SERVER<\/em>HELLO:unknown protocol:s23_clnt.c:583:\nCRITICAL – Cannot retrieve server certificate.<\/p>\n’); return false;”>Quote
]]> Di: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28074 pallotron Fri, 18 Jul 2008 21:30:35 +0000 http://blog.angelofailla.com/?p=873#comment-28074 <p>ah talaltro check_http funziona solo con https... guarda:</p> <pre> fenix# ./check_http -w 5 -c 10 --ssl -H mail.dyne.org -C 10 OK - Certificate will expire on 02/04/2009 19:45 </pre> <p>ma tcpdump dice:</p> <pre> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes 23:48:17.876656 IP fenix.olocolors.org.54234 > tamarindo.dyne.org.https: S 2542887467:2542887467(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1289231354 0,sackOK,eol> </pre> <p>quindi non ho scritto proprio qualcosa di inutile...</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28074','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28074','pallotron','<p>ah talaltro check_http funziona solo con https... guarda:<\/p>\n\n<pre>\r\nfenix# .\/check_http -w 5 -c 10 --ssl -H mail.dyne.org -C 10\r\nOK - Certificate will expire on 02\/04\/2009 19:45\r\n<\/pre>\n\n<p>ma tcpdump dice:<\/p>\n\n<pre>\ntcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes\n23:48:17.876656 IP fenix.olocolors.org.54234 > tamarindo.dyne.org.https: S 2542887467:2542887467(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1289231354 0,sackOK,eol>\n<\/pre>\n\n<p>quindi non ho scritto proprio qualcosa di inutile...<\/p>\n'); return false;">Quote</a></div> ah talaltro check_http funziona solo con https… guarda:

fenix# ./check_http -w 5 -c 10 --ssl -H mail.dyne.org -C 10
OK - Certificate will expire on 02/04/2009 19:45

ma tcpdump dice:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on fxp0, link-type EN10MB (Ethernet), capture size 96 bytes
23:48:17.876656 IP fenix.olocolors.org.54234 > tamarindo.dyne.org.https: S 2542887467:2542887467(0) win 65535

quindi non ho scritto proprio qualcosa di inutile…

ReplyQuote
]]> Di: Ale http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28073 Ale Fri, 18 Jul 2008 21:26:09 +0000 http://blog.angelofailla.com/?p=873#comment-28073 <p>Ah, adesso ho visto dove sta l'icona del rss...lol</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28073','Ale'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28073','Ale','<p>Ah, adesso ho visto dove sta l\'icona del rss...lol<\/p>\n'); return false;">Quote</a></div> Ah, adesso ho visto dove sta l’icona del rss…lol

ReplyQuote
]]> Di: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28071 pallotron Fri, 18 Jul 2008 21:24:00 +0000 http://blog.angelofailla.com/?p=873#comment-28071 <p>ok thanks, il problema e' che nell'ambiente io cui lavoravo io c'e' una versione dei plugin nagios purgata di tutto. e check_http e' un binario C compilato, che in quella installazione non esiste :D</p> <p>quindi cari lettori, dite grazie al mio omonimo. comunque per dare un servizio migliore ai lettori il comando giusto e' per esempio:</p> <pre> fenix# ./check_http -w 5 -c 10 --ssl -Hwww.verisign.com -C 10 OK - Certificate will expire on 05/08/2009 23:59. </pre> <p>dove C indica il numero di giorni.</p> <blockquote> This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days. Examples: CHECK CONTENT: check_http -w 5 -c 10 --ssl -H www.verisign.com When the 'www.verisign.com' server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned. CHECK CERTIFICATE: check_http -H www.verisign.com -C 14 When the certificate of 'www.verisign.com' is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired. </blockquote> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28071','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28071','pallotron','<p>ok thanks,\nil problema e\' che nell\'ambiente io cui lavoravo io c\'e\' una versione dei plugin nagios purgata di tutto. e check_http e\' un binario C compilato, che in quella installazione non esiste :D<\/p>\n\n<p>quindi cari lettori, dite grazie al mio omonimo.\ncomunque per dare un servizio migliore ai lettori il comando giusto e\' per esempio:<\/p>\n\n<pre>\r\nfenix# .\/check_http -w 5 -c 10 --ssl -Hwww.verisign.com -C 10\r\nOK - Certificate will expire on 05\/08\/2009 23:59.\r\n<\/pre>\n\n<p>dove C indica il numero di giorni.<\/p>\n\n<blockquote>\nThis plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days.\nExamples: \n\nCHECK CONTENT: check_http -w 5 -c 10 --ssl -H www.verisign.com\n\nWhen the \'www.verisign.com\' server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.\n\nCHECK CERTIFICATE: check_http -H www.verisign.com -C 14\n\nWhen the certificate of \'www.verisign.com\' is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired.\n<\/blockquote>\n'); return false;">Quote</a></div> ok thanks,
il problema e’ che nell’ambiente io cui lavoravo io c’e’ una versione dei plugin nagios purgata di tutto. e check_http e’ un binario C compilato, che in quella installazione non esiste :D

quindi cari lettori, dite grazie al mio omonimo.
comunque per dare un servizio migliore ai lettori il comando giusto e’ per esempio:

fenix# ./check_http -w 5 -c 10 --ssl -Hwww.verisign.com -C 10
OK - Certificate will expire on 05/08/2009 23:59.

dove C indica il numero di giorni.

This plugin can also check whether an SSL enabled web server is able to serve content (optionally within a specified time) or whether the X509 certificate is still valid for the specified number of days.
Examples:

CHECK CONTENT: check_http -w 5 -c 10 –ssl -H http://www.verisign.com

When the ‘www.verisign.com’ server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.

CHECK CERTIFICATE: check_http -H http://www.verisign.com -C 14

When the certificate of ‘www.verisign.com’ is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired.

Replyhttp://www.verisign.com\n\nWhen the \’www.verisign.com\’ server returns its content within 5 seconds, a STATE_OK will be returned. When the server returns its content but exceeds the 5-second threshold, a STATE_WARNING will be returned. When an error occurs, a STATE_CRITICAL will be returned.\n\nCHECK CERTIFICATE: check_http -H http://www.verisign.com -C 14\n\nWhen the certificate of \’www.verisign.com\’ is valid for more than 14 days, a STATE_OK is returned. When the certificate is still valid, but for less than 14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when the certificate is expired.\n<\/blockquote>\n’); return false;”>Quote
]]> Di: Angelo http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28070 Angelo Fri, 18 Jul 2008 21:04:00 +0000 http://blog.angelofailla.com/?p=873#comment-28070 <p>Veramente il check del certificato lo fa il check<em>http standard di Nagios :) basta fare check</em>http --help e viene fuori:</p> <p>check_http -w 5 -c 10 --ssl www.verisign.com</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28070','Angelo'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28070','Angelo','<p>Veramente il check del certificato lo fa il check<em>http standard di Nagios :) basta fare check<\/em>http --help e viene fuori:<\/p>\n\n<p>check_http -w 5 -c 10 --ssl www.verisign.com<\/p>\n'); return false;">Quote</a></div> Veramente il check del certificato lo fa il checkhttp standard di Nagios :) basta fare checkhttp –help e viene fuori:

check_http -w 5 -c 10 –ssl http://www.verisign.com

Replyhttp://www.verisign.com&lt;\/p>\n’); return false;”>Quote
]]> Di: pallotron http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28069 pallotron Fri, 18 Jul 2008 20:10:13 +0000 http://blog.angelofailla.com/?p=873#comment-28069 <p>RISPOSTA ALL'OT: ah cettu! cu cu sta parannu! :D</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28069','pallotron'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28069','pallotron','<p>RISPOSTA ALL\'OT: ah cettu! cu cu sta parannu! :D<\/p>\n'); return false;">Quote</a></div> RISPOSTA ALL’OT: ah cettu! cu cu sta parannu! :D

ReplyQuote
]]> Di: barbylucedistelle http://blog.angelofailla.com/2008/07/17/monitoring-ssl-certificate-expiration-with-nagios/comment-page-1/#comment-28067 barbylucedistelle Fri, 18 Jul 2008 19:26:48 +0000 http://blog.angelofailla.com/?p=873#comment-28067 <p>OT: direi che cambiare il server fu proprio una idea azzeccata</p> <div class="comment-remix-meta"><a href="#" class="replyto" onclick="replyto('28067','barbylucedistelle'); return false;">Reply</a> - <a href="#" class="quote" onclick="quote('28067','barbylucedistelle','<p>OT: direi che cambiare il server fu proprio una idea azzeccata<\/p>\n'); return false;">Quote</a></div> OT: direi che cambiare il server fu proprio una idea azzeccata

ReplyQuote
]]>