We need to monitor all of our SSL certs with warnings going out at the 2 month to expire mark and critical in the 1 month to expire mark.
Any update on this?
You can use check_http from Nagios Plugins with the --certificate option. But the critical threshold is not adjustable. The state is critical, if the certificate expired.
If it's useful,
{{{ echo "" | openssl s_client -connect fedoraproject.org:443 2> /dev/null | openssl x509 -noout -enddate }}}
can be used to get the expiration date for a website.
I guess it's a good idea to get a list of what hosts we need to test:
I'll see what I can do to implement this into Zabbix.
5 out of 6 are monitored in Zabbix, as you can see here:
https://admin.fedoraproject.org/zabbix/tr_status.php?groupid=0&hostid=183&fullscreen=0 (make sure to remove the filter that only shows problems)
Koji does not work yet as we need dgilmore's approval of importing the koji certificate onto the noc1 openssl installation.
Koji is now also monitored in Zabbix, so this ticket can be closed.
Put this in nagios ASAP.
I've gotten alerts on this recently, so it looks like it's there, just a matter of making sure we're not missing any certs - anybody want to work up a list of certs we need to monitor?
from a git-grep:
wildcard.fedoraproject.org fedoraproject.org fedorahosted.org
self signed, but perhaps should monitor anyhow: pkgs.fedoraproject.org koji.fedoraproject.org
In nagios we have:
check_command check_ssl_cert!admin.fedoraproject.org!60 (this is the wildcard cert) check_command check_ssl_cert!fedoraproject.org!60 check_command check_ssl_cert!fedorahosted.org!60 check_command check_ssl_cert!translate.fedoraproject.org!60 (this is the wildcard cert)
So, it looks like the only ones not covered are the koji and pkgs ones, both of which are self signed and expire in 2020 and 2018. ;)
Should we monitor them? Or close this?
This service works in these two servers too:
[rafaelgomes@noc01 plugins]$ ./check_http -H koji.fedoraproject.org -C 60 OK - Certificate will expire on 08/18/2018 15:17.
[rafaelgomes@noc01 plugins]$ ./check_http -H pkgs.fedoraproject.org -C 60 OK - Certificate will expire on 07/24/2020 16:12.
I will write a patch to add that.
Services added successfully
Login to comment on this ticket.