I’m trying to do something seemingly simple but can’t quite wrap my head around it. Surely someone else has done this, so let’s groupthink this!
I’m trying to setup one of my check_mk servers to act as a proxy to check the SSL certificate age (and potentially some other information) about certificates all throughout our environment. This is spread across a ton of servers and equipment, so I want to create this type of setup.
We have a dummy host in check_mk
We run commands to check a web address, could be any address. For this example, let’s assume it’s https://www.google.com
It returns the SSL certificate age to the dummy host.
The thought process for me right now is that we’d make a rule around checking for an HTTP service, but that’s reliant on the IP given to the host, and fails if there isn’t an IP on that host at all.
What am I missing to help make a dummy host that can just serve as a hub for the server to do these checks and drop them into a dummy host instead?
Some systems, like appliance load balancers, snmptrap these sorts of messages.
What I’m saying is that “your service” could do the same or use syslog or even log message forwarding … to get messages to the event console and do rules to notify based on messages coming in there.
I’ve created a host WEBSITES for example.
Machine has no IP,
Agent type is no Agent,
WATO rule HOST Check: Always assume host to be up.
Then the rule “Check connecting to a TCP Port” with the following configured
TCP Port: 443 (or any port if you configured a different port).
Service Description: ^webpage.domain.com SSL Check (or any description you want, the ^ sign replaces anything what default is shown from this check. You don’t have to use this ofcourse).
DNS Hostname: webpage.domain.com
SSL Certificate validation: warning and critical in days when you want to get notified.
Explicit hosts: WEBSITES
You can configure a rule for each website or port you want to check.
I’m not sure we’re looking to get fancy, and at least at this point, we haven’t. BUT, there’s still one minor catch I’m working on. I found a good plugin and I’m using it on the “Classical Active and Passive Check” route. The command is:
However, when I try and replace mysite with $USER or $OMD_SITE, the check just fails, idea being, so it will work on any site of our multi-site setup. Wrapping the variable in a $USER$ or $OMD_SITE$ doesn’t help here either.
What am I missing in the syntax? I sense it’s something silly.
But in this case, just leave out the path and call the binary with its filename only.
You’re probably missing the online help
Click on the book icon in the top right to turn it on. For the “Command line” parameter in an active check, it says:
Please enter the complete shell command including path name and arguments to execute. If the plugin you like to execute is located in either ~/local/lib/nagios/plugins or ~/lib/nagios/plugins within your site directory, you can strip the path name and just configure the plugin file name as command check_foobar.
But if you use SNI to request a specific certificate, then can’t you just use the built-in https active check?
Check HTTP/HTTPS service using the plugin check_http from the standard Monitoring Plugins. This plugin tests the HTTP service on the specified host. It can test normal (HTTP) and secure (HTTPS) servers, follow redirects, search for strings and regular expressions, check connection times, and report on certificate expiration times.
On the syntax, yeah, that’s a “duh”, use the ~ instead of the full path to run it. Working more universally now.
As for the test, we found the check_ssl_cert to check more for us across the entire certificate chain, plus it proved to be the easiest way to setup a host w/o an IP address or ping and then attach a command to it. Probably six of one and half a dozen of the other but it’s what we found as the best way to do it.
