CMK version:
Checkmk Raw Edition 2.1.0p33
OS version:
CentOS Linux release 7.9.2009 (Core)
How can we get check mk to monitor hostnames of ssl certificates? We’re having an issue where lets encrypt renewal fails and then the site uses the default ssl certificate on the server which doesn’t match. Then we get clients emailing us that their site is not loading because of the mismatch hostname warning in chrome and we are completely blind!
I thought that Check HTTP Service mode SSL age certification would have a state change to warning or similar when the FQDN wouldn’t match. But after testing locally it just tells me: OK - Certificate 'default' will expire on ... )-:
And with mode Check URL there are plenty of options to check for expected strings, but not for certification what I could find.
If there’s no solution provided by others, this would be a good one for https://ideas.checkmk.com/
While typing this post, I was also testing a bit more, perhaps a workaround can be found. When FQDN doesn’t match, due to referrer policy strict-origin-when-cross-origin files like js and css are not loaded. So it will fail to load response data, and you can check for that with the Check URL mode. So check for URL domain.tld/css/file.css and when it doesn’t load it might not exist, or otherwise also check for expected strings in response.
But it will be lots of manual labour to have checks made for each website.