[Check_mk (english)] WATO: Check for SSL Certificate Age (HTTP, FTP et al) should allow setting CRIT and WARN levels

gregor.hoffleit · November 10, 2015, 4:00pm

There are a couple of active checks that allow to check the age of a SSL certificate (for HTTP, FTP, TCP and SMTP).

WATO currently only configures a single threshold, that makes the check CRITICAL if the validity of the certificate is shorter than this value.

All the four nagios plugins, though, also support a second threshold that issues a WARNING first.

0002-warn-for-cert_days.patch (1.78 KB)

0001-warn-for-cert_days.patch (4.76 KB)

···

--------------------------------------------------------------------------------
check_smtp, check_tcp, check_ftp:

   -D, --certificate=INTEGER[,INTEGER]
      Minimum number of days a certificate has to be valid.
      1st is #days for warning, 2nd is critical (if not specified - 0).
--------------------------------------------------------------------------------
check_http:

-C, --certificate=INTEGER[,INTEGER]
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)

...
CHECK CERTIFICATE: check_http -H www.verisign.com -C 14

   When the certificate of 'www.verisign.com' is valid for more than 14 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
   the certificate is expired.

CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14

   When the certificate of 'www.verisign.com' is valid for more than 30 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   30 days, but more than 14 days, a STATE_WARNING is returned.
   A STATE_CRITICAL will be returned when certificate expires in less than 14 days
--------------------------------------------------------------------------------

The attached patches would change WATO to expect two values for "cert_days", for a WARNING and for a CRITICAL threshold, and would change the four Check_MK checks to use both values with the plugins.

Problem is: This is an incompatible change of "cert_days" (from a single integer to a tuple); WATO will complain that it is not able to understand the old configuration.

Is there a way to implement such a change in a smooth way?

Best regards,
Gregor Hoffleit

--
MediaSupervision Software Consulting GmbH - www.mediasupervision.de
Niederlassung: Carl-Theodor-Str. 5, 68723 Schwetzingen
Tel: +49 (0)6221 705079-22, E-Mail: gregor.hoffleit@mediasupervision.de
Hauptsitz: Georg-Friedrich-Händel-Str. 13, 69214 Eppelheim / Heidelberg
Amtsgericht Mannheim HRB 336821; Geschäftsführer: Reinhard Kratzke

mace · November 10, 2015, 4:50pm

Hi,
the warning option was already adopted for check_http:

https://mathias-kettner.de/check_mk_werks.php?werk_id=1951&HTML=yes

Bye
Matthias

···

-----Ursprüngliche Nachricht-----
Von: checkmk-en-bounces@lists.mathias-kettner.de [mailto:checkmk-en-bounces@lists.mathias-kettner.de] Im Auftrag von Gregor Hoffleit
Gesendet: Dienstag, 10. November 2015 17:01
An: feedback <feedback@check-mk.org>
Cc: checkmk-en@lists.mathias-kettner.de
Betreff: [Check_mk (english)] WATO: Check for SSL Certificate Age (HTTP, FTP et al) should allow setting CRIT *and* WARN levels

There are a couple of active checks that allow to check the age of a SSL certificate (for HTTP, FTP, TCP and SMTP).

WATO currently only configures a single threshold, that makes the check CRITICAL if the validity of the certificate is shorter than this value.

All the four nagios plugins, though, also support a second threshold that issues a WARNING first.

--------------------------------------------------------------------------------
check_smtp, check_tcp, check_ftp:

   -D, --certificate=INTEGER[,INTEGER]
      Minimum number of days a certificate has to be valid.
      1st is #days for warning, 2nd is critical (if not specified - 0).
--------------------------------------------------------------------------------
check_http:

-C, --certificate=INTEGER[,INTEGER]
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)

...
CHECK CERTIFICATE: check_http -H www.verisign.com -C 14

   When the certificate of 'www.verisign.com' is valid for more than 14 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
   the certificate is expired.

CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14

   When the certificate of 'www.verisign.com' is valid for more than 30 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   30 days, but more than 14 days, a STATE_WARNING is returned.
   A STATE_CRITICAL will be returned when certificate expires in less than 14 days
--------------------------------------------------------------------------------

The attached patches would change WATO to expect two values for "cert_days", for a WARNING and for a CRITICAL threshold, and would change the four Check_MK checks to use both values with the plugins.

Problem is: This is an incompatible change of "cert_days" (from a single integer to a tuple); WATO will complain that it is not able to understand the old configuration.

Is there a way to implement such a change in a smooth way?

Best regards,
Gregor Hoffleit

--
MediaSupervision Software Consulting GmbH - www.mediasupervision.de
Niederlassung: Carl-Theodor-Str. 5, 68723 Schwetzingen
Tel: +49 (0)6221 705079-22, E-Mail: gregor.hoffleit@mediasupervision.de
Hauptsitz: Georg-Friedrich-Händel-Str. 13, 69214 Eppelheim / Heidelberg Amtsgericht Mannheim HRB 336821; Geschäftsführer: Reinhard Kratzke

gregor.hoffleit · November 11, 2015, 1:43pm

Dear Matthias,

thanks for the hint! I should have checked Git trunk as usual.

The commit c236b1d6c0182b9d169d30015340c170ac5d58f1 also answers my question regarding the transformation from integer to tuple: To implement the transformation of old values, active_checks.py got a function "transform_check_http_cert_days()"

    # cert_days was only an integer for warning level until version 1.2.7
    def transform_check_http_cert_days(cert_days):
        if type(cert_days) != tuple:
            cert_days = (cert_days, 0)
        return cert_days

and "cert_days" is wrapped into a "Transform".

In noticed, though, this this is only implemented for check_http, not yet for check_ftp, check_tcp nor check_smtp.

Regards,
Gregor

···

--
MediaSupervision Software Consulting GmbH - www.mediasupervision.de
Niederlassung: Carl-Theodor-Str. 5, 68723 Schwetzingen
Tel: +49 (0)6221 705079-22, E-Mail: gregor.hoffleit@mediasupervision.de
Hauptsitz: Georg-Friedrich-Händel-Str. 13, 69214 Eppelheim / Heidelberg
Amtsgericht Mannheim HRB 336821; Geschäftsführer: Reinhard Kratzke

----- Ursprüngliche Mail -----
Von: "Matthias Haehnel" <matthias.haehnel@sixt.com>
An: "checkmk-en" <checkmk-en@lists.mathias-kettner.de>
Gesendet: Dienstag, 10. November 2015 17:50:13
Betreff: Re: [Check_mk (english)] WATO: Check for SSL Certificate Age (HTTP, FTP et al) should allow setting CRIT *and* WARN levels

Hi,
the warning option was already adopted for check_http:

https://mathias-kettner.de/check_mk_werks.php?werk_id=1951&HTML=yes

Bye
Matthias

-----Ursprüngliche Nachricht-----
Von: checkmk-en-bounces@lists.mathias-kettner.de [mailto:checkmk-en-bounces@lists.mathias-kettner.de] Im Auftrag von Gregor Hoffleit
Gesendet: Dienstag, 10. November 2015 17:01
An: feedback <feedback@check-mk.org>
Cc: checkmk-en@lists.mathias-kettner.de
Betreff: [Check_mk (english)] WATO: Check for SSL Certificate Age (HTTP, FTP et al) should allow setting CRIT *and* WARN levels

There are a couple of active checks that allow to check the age of a SSL certificate (for HTTP, FTP, TCP and SMTP).

WATO currently only configures a single threshold, that makes the check CRITICAL if the validity of the certificate is shorter than this value.

All the four nagios plugins, though, also support a second threshold that issues a WARNING first.

--------------------------------------------------------------------------------
check_smtp, check_tcp, check_ftp:

   -D, --certificate=INTEGER[,INTEGER]
      Minimum number of days a certificate has to be valid.
      1st is #days for warning, 2nd is critical (if not specified - 0).
--------------------------------------------------------------------------------
check_http:

-C, --certificate=INTEGER[,INTEGER]
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)

...
CHECK CERTIFICATE: check_http -H www.verisign.com -C 14

   When the certificate of 'www.verisign.com' is valid for more than 14 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
   the certificate is expired.

CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14

   When the certificate of 'www.verisign.com' is valid for more than 30 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   30 days, but more than 14 days, a STATE_WARNING is returned.
   A STATE_CRITICAL will be returned when certificate expires in less than 14 days
--------------------------------------------------------------------------------

The attached patches would change WATO to expect two values for "cert_days", for a WARNING and for a CRITICAL threshold, and would change the four Check_MK checks to use both values with the plugins.

Problem is: This is an incompatible change of "cert_days" (from a single integer to a tuple); WATO will complain that it is not able to understand the old configuration.

Is there a way to implement such a change in a smooth way?

Best regards,
Gregor Hoffleit

--
MediaSupervision Software Consulting GmbH - www.mediasupervision.de
Niederlassung: Carl-Theodor-Str. 5, 68723 Schwetzingen
Tel: +49 (0)6221 705079-22, E-Mail: gregor.hoffleit@mediasupervision.de
Hauptsitz: Georg-Friedrich-Händel-Str. 13, 69214 Eppelheim / Heidelberg Amtsgericht Mannheim HRB 336821; Geschäftsführer: Reinhard Kratzke
_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en

gregor.hoffleit · November 11, 2015, 3:59pm

Werk #1951 implemented configuration of both a warning and a critical limit for certificate age for check_http.

The attached patch implements this for check_tcp, check_ftp and check_smtp as well.

It is based on the commits c236b1d6c0182b9d169d30015340c170ac5d58f1 and 895649cd52521030fe68da8a4d749a3fd2f50569.

Best regards,
Gregor Hoffleit

----- Ursprüngliche Mail -----

0001-FIX-check_tcp-check_smtp-check_ftp-allow-warning-for.patch (6.93 KB)

···

Von: "Gregor Hoffleit" <gregor.hoffleit@mediasupervision.de>
An: "feedback" <feedback@check-mk.org>
CC: "checkmk-en" <checkmk-en@lists.mathias-kettner.de>
Gesendet: Dienstag, 10. November 2015 17:00:47
Betreff: [Check_mk (english)] WATO: Check for SSL Certificate Age (HTTP, FTP et al) should allow setting CRIT *and* WARN levels

There are a couple of active checks that allow to check the age of a SSL certificate (for HTTP, FTP, TCP and SMTP).

WATO currently only configures a single threshold, that makes the check CRITICAL if the validity of the certificate is shorter than this value.

All the four nagios plugins, though, also support a second threshold that issues a WARNING first.

--------------------------------------------------------------------------------
check_smtp, check_tcp, check_ftp:

   -D, --certificate=INTEGER[,INTEGER]
      Minimum number of days a certificate has to be valid.
      1st is #days for warning, 2nd is critical (if not specified - 0).
--------------------------------------------------------------------------------
check_http:

-C, --certificate=INTEGER[,INTEGER]
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)

...
CHECK CERTIFICATE: check_http -H www.verisign.com -C 14

   When the certificate of 'www.verisign.com' is valid for more than 14 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
   the certificate is expired.

CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14

   When the certificate of 'www.verisign.com' is valid for more than 30 days,
   a STATE_OK is returned. When the certificate is still valid, but for less than
   30 days, but more than 14 days, a STATE_WARNING is returned.
   A STATE_CRITICAL will be returned when certificate expires in less than 14 days
--------------------------------------------------------------------------------

The attached patches would change WATO to expect two values for "cert_days", for a WARNING and for a CRITICAL threshold, and would change the four Check_MK checks to use both values with the plugins.

Problem is: This is an incompatible change of "cert_days" (from a single integer to a tuple); WATO will complain that it is not able to understand the old configuration.

Is there a way to implement such a change in a smooth way?

Best regards,
Gregor Hoffleit

--
MediaSupervision Software Consulting GmbH - www.mediasupervision.de
Niederlassung: Carl-Theodor-Str. 5, 68723 Schwetzingen
Tel: +49 (0)6221 705079-22, E-Mail: gregor.hoffleit@mediasupervision.de
Hauptsitz: Georg-Friedrich-Händel-Str. 13, 69214 Eppelheim / Heidelberg
Amtsgericht Mannheim HRB 336821; Geschäftsführer: Reinhard Kratzke

_______________________________________________
checkmk-en mailing list
checkmk-en@lists.mathias-kettner.de
http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
--
MediaSupervision Software Consulting GmbH - www.mediasupervision.de
Niederlassung: Carl-Theodor-Str. 5, 68723 Schwetzingen
Tel: +49 (0)6221 705079-22, E-Mail: gregor.hoffleit@mediasupervision.de
Hauptsitz: Georg-Friedrich-Händel-Str. 13, 69214 Eppelheim / Heidelberg
Amtsgericht Mannheim HRB 336821; Geschäftsführer: Reinhard Kratzke

Mathias_Kettner · April 22, 2016, 10:53am

Hallo Gregor,

vielen Dank für deinen Patch. Leider können wir den so nicht übernehmen. Problem ist,
dass dein Patch bestehende Konfigurationen mit nur einem Schwellwert nicht
berücksichtigt. Dazu braucht man im WATO ein Transform() und in den Checks selbst
die Unterscheidung ob int (alt) oder tuple (neu).

Denkst du, du bekommst das hin?

Viele Grüße,

Mathias

···

Am 10.11.2015 um 17:00 schrieb Gregor Hoffleit:

There are a couple of active checks that allow to check the age of a SSL certificate (for HTTP, FTP, TCP and SMTP).

WATO currently only configures a single threshold, that makes the check CRITICAL if the validity of the certificate is shorter than this value.

All the four nagios plugins, though, also support a second threshold that issues a WARNING first.

--------------------------------------------------------------------------------
check_smtp, check_tcp, check_ftp:

    -D, --certificate=INTEGER[,INTEGER]
       Minimum number of days a certificate has to be valid.
       1st is #days for warning, 2nd is critical (if not specified - 0).
--------------------------------------------------------------------------------
check_http:

  -C, --certificate=INTEGER[,INTEGER]
     Minimum number of days a certificate has to be valid. Port defaults to 443
     (when this option is used the URL is not checked.)

    ...
    CHECK CERTIFICATE: check_http -H www.verisign.com -C 14

    When the certificate of 'www.verisign.com' is valid for more than 14 days,
    a STATE_OK is returned. When the certificate is still valid, but for less than
    14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
    the certificate is expired.

    CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14

    When the certificate of 'www.verisign.com' is valid for more than 30 days,
    a STATE_OK is returned. When the certificate is still valid, but for less than
    30 days, but more than 14 days, a STATE_WARNING is returned.
    A STATE_CRITICAL will be returned when certificate expires in less than 14 days
--------------------------------------------------------------------------------

The attached patches would change WATO to expect two values for "cert_days", for a WARNING and for a CRITICAL threshold, and would change the four Check_MK checks to use both values with the plugins.

Problem is: This is an incompatible change of "cert_days" (from a single integer to a tuple); WATO will complain that it is not able to understand the old configuration.

Is there a way to implement such a change in a smooth way?

Best regards,
     Gregor Hoffleit

--
Lust auf was Neues? Check_MK-Admins gesucht!
http://mathias-kettner.de/jobs

Mathias Kettner GmbH
Kellerstraße 29, 81667 München, Germany
Registergericht: Amtsgericht München, HRB 165902
Geschäftsführer: Mathias Kettner
http://mathias-kettner.de
Tel. +49 89 1890 435-0
Fax. +49 89 1890 435-29

Mathias_Kettner · April 22, 2016, 11:45am

Hi Gregor,

vergiss meine Mail von vorhin. Ich sehe diesen Patch erst jetzt. Ist quasi als
hättest du meine Antwort von vorhin schon vor drei Monaten bekommen

Habe den Patch jetzt noch geringfügig überarbeitet (vierfach gleiche Funktion
durch eine ersetzt) und aufgenommen:

http://mathias-kettner.de/check_mk_werks.php?werk_id=3420

Viele Grüße und danke für deine Mithilfe!

Mathias

···

Am 11.11.2015 um 16:59 schrieb Gregor Hoffleit:

Werk #1951 implemented configuration of both a warning and a critical limit for certificate age for check_http.

The attached patch implements this for check_tcp, check_ftp and check_smtp as well.

It is based on the commits c236b1d6c0182b9d169d30015340c170ac5d58f1 and 895649cd52521030fe68da8a4d749a3fd2f50569.

Best regards,
     Gregor Hoffleit

----- Ursprüngliche Mail -----
Von: "Gregor Hoffleit" <gregor.hoffleit@mediasupervision.de>
An: "feedback" <feedback@check-mk.org>
CC: "checkmk-en" <checkmk-en@lists.mathias-kettner.de>
Gesendet: Dienstag, 10. November 2015 17:00:47
Betreff: [Check_mk (english)] WATO: Check for SSL Certificate Age (HTTP, FTP et al) should allow setting CRIT *and* WARN levels

There are a couple of active checks that allow to check the age of a SSL certificate (for HTTP, FTP, TCP and SMTP).

WATO currently only configures a single threshold, that makes the check CRITICAL if the validity of the certificate is shorter than this value.

All the four nagios plugins, though, also support a second threshold that issues a WARNING first.

--------------------------------------------------------------------------------
check_smtp, check_tcp, check_ftp:

    -D, --certificate=INTEGER[,INTEGER]
       Minimum number of days a certificate has to be valid.
       1st is #days for warning, 2nd is critical (if not specified - 0).
--------------------------------------------------------------------------------
check_http:

  -C, --certificate=INTEGER[,INTEGER]
     Minimum number of days a certificate has to be valid. Port defaults to 443
     (when this option is used the URL is not checked.)

    ...
    CHECK CERTIFICATE: check_http -H www.verisign.com -C 14

    When the certificate of 'www.verisign.com' is valid for more than 14 days,
    a STATE_OK is returned. When the certificate is still valid, but for less than
    14 days, a STATE_WARNING is returned. A STATE_CRITICAL will be returned when
    the certificate is expired.

    CHECK CERTIFICATE: check_http -H www.verisign.com -C 30,14

    When the certificate of 'www.verisign.com' is valid for more than 30 days,
    a STATE_OK is returned. When the certificate is still valid, but for less than
    30 days, but more than 14 days, a STATE_WARNING is returned.
    A STATE_CRITICAL will be returned when certificate expires in less than 14 days
--------------------------------------------------------------------------------

The attached patches would change WATO to expect two values for "cert_days", for a WARNING and for a CRITICAL threshold, and would change the four Check_MK checks to use both values with the plugins.

Problem is: This is an incompatible change of "cert_days" (from a single integer to a tuple); WATO will complain that it is not able to understand the old configuration.

Is there a way to implement such a change in a smooth way?

Best regards,
     Gregor Hoffleit

--
Lust auf was Neues? Check_MK-Admins gesucht!
http://mathias-kettner.de/jobs

Mathias Kettner GmbH
Kellerstraße 29, 81667 München, Germany
Registergericht: Amtsgericht München, HRB 165902
Geschäftsführer: Mathias Kettner
http://mathias-kettner.de
Tel. +49 89 1890 435-0
Fax. +49 89 1890 435-29