Check_http and client certificates

mach_awi · January 17, 2022, 8:56am

Hello all,

I am a newbie in checkmk, but not to monitoring as such. My question is regarding client-certificates and the check_http-Plugin. I have found this post from 2017: [Check_mk (english)] HTTP check - How to configure https client certificate Sadly, I do not understand how this is helping me.

My scenario: I have multiple hosts where the applicaiton server requires client certificate authentication, even for the monitoring endpoints. In this case, a SpringBoot - Application in a Wildfly. The endpoint is the Spring Boot health actuator, same port and “interface” as the application itself)…

Am I to duplicate the check_http - Plugin in /usr/lib/check_mk_agent/pluginsfor each endpoint and hardwire the client certificate into the cloned plugin?

Please help and have a bit of patience with me.

Greets and thanks a lot!
André

kdeutsch · January 17, 2022, 9:00am

Hi,
have a look at this article: https://checkmk.com/blog/how-to-monitor-web-server

Karl

mach_awi · January 17, 2022, 10:31am

Hello again,

thanks for the reply. I have understood how to monitor certificates and certificate expiry on the server side. Either I did not find my question answered in the article or it has not been answered there. My use case is mutual authentication via client certificate (explained here, for instance: What Is Client Certificate Authentication?).

So I would have to make sure checkmk-server has the client certificate files in some kind of keystore. And I would have to define the alias of the client certificate to be used for each of the endpoints to be called in my monitoring plugin, i.e. check_http…

I hope this clarifies my scenario a bit better.

Greets and thanks
André

andreas-doehler · January 17, 2022, 10:51am

The sslcertificates will not help in this case.

@mach_awi is right at the moment there is no really good solution to check a HTTPS connection with client certificate authentication.
I found a small script what does it in an really easy way.
Zenoss or Nagios monitoring of HTTPS using client certificate authentication – Russell Ballestrini
The client certificate must be available as an file.

mach_awi · January 17, 2022, 5:36pm

@andreas-doehler Thanks a lot, we will check this out. Not what I hoped for, but it will do the job.

Greets and thanks
André