Installed the agent and put the file in the ProgramData folder, when i run service discovery it pulls through SSL Certificates.
I have created a folder for hosts that i want to monitor specific cers on. I have created a rule for “Parameters for SSL Certificates” Added some values and explicit conditions selecting my new SSL folder.
I have also ticked the “certificate File” and entered some names of the certificates I want to monitor, but on my devices i still don’t see any “active checks”
From reading online i think i may need to configure a “check certificates” under the HTTP, TCP, Email…
When I look to set this up it requires me to choose a specific host/IP, I want to assign this to my SSL folder so any hosts that get dropped into this folders get monitored with specific certificates set in the “Parameters for SSL” otherwise ill have to manually edit the “check certificates” rule and add new hosts every time.
Thanks for the response! I just set it up as per them instructions but getting a critical state on the sensor “Failed to lookup address information temporary failure in name resolution”
Also by using this method instead of the “parameters for SSL Certificates” I can’t target specific certs? What im basically trying to achieve is monitoring on some wildcard certificates stored in the certificate store of some servers. These are stored in Certificates > Local Computer > Personal > Certificates > Target specific certificate expiry
When you are monitoring wildcard certificates with the active check, you might want to first set the IP address of each host you monitor and then create unique rules for each host. Then in the rule configuration add an endpoint for each host name you want to have checked. Change the host name field from the suggestion $HOSTNAME$ to one of the hostnames covered by the certificate. This way you monitor the certificate expiry and that the host name is allowed for this certificate.
I will update the blog article in time for the final stop of Letsencrypt sending expiration emails. I also have some hosts that serve like 20 virtual hosts and the machine name is not part of the certificate there…
So just to confirm on what you are suggesting is on the “check certificate” rule is having that for each host and apply to each host rather than at the folder level? So i have the same rule duplicated X amount of times with the only difference in the rule is the IP of the host?
I usually try to map hosts in the monitoring as best as possible to real hosts. I will do some screenshots on that topic and what might be an appropriate solution to your needs tomorrow and will then share them here.