Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 8587 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Monitoring SSL certificate lifetime with nagios/icinga

kerobra

We used to monitor the remaining lifetime of (public) ssl certificates running on the user portal with icinga (1). For that we used the "check_ssl" command with the parameter of tcp-port and the publically reachable dns address, e.g. "check_http --ssl=1.2+ -p 8443 -C 16 -H userportal.domain.tld", which worked fine up to 9.355.


Since 9.4x came out the check isn't working anymore and the status in icinga returns "CRITICAL - Cannot make SSL connection". I've allready tried changing the ssl-version (which was only --ssl before) to TLS1.2, but the problem still exists.


Has anyone a solution for this or the same error since 9.4x? I've tried to contact our Sophos Support Partner, but they didn't knew any changes in 9.4 that could raise the problem.



This thread was automatically locked due to age.
Parents
  • 0

    Kevin, some weak ciphers and HMAC algorithms were removed in 9.403.  Have you tried updating icinga as it may be trying to use a deprecated cipher or algorithm.

    Are you testing from the outside or from a device inside your LAN?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    my guess went in the same direction. Unfortunately we actually have no Linux specialist at out company, so I hat to ask a withdrawn co-worker if he can take a look at it. I'm actually waiting for a reply of him.


    The test is ran via Internet. Indeed we have VPN-tunnels to our customers and most of the checks are running through the tunnels, but the SSL-checks go on the public FQDN for the user-portal which is resolved publically.

    Cheers

    Kevin

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Reply
  • 0 in reply to BAlfson

    Hi Bob,

    my guess went in the same direction. Unfortunately we actually have no Linux specialist at out company, so I hat to ask a withdrawn co-worker if he can take a look at it. I'm actually waiting for a reply of him.


    The test is ran via Internet. Indeed we have VPN-tunnels to our customers and most of the checks are running through the tunnels, but the SSL-checks go on the public FQDN for the user-portal which is resolved publically.

    Cheers

    Kevin

    Regards,

    Kevin

    Sophos CE/CA (XG, UTM, Central Endpoint)
    Gold Partner

Children
No Data
Unfiltered HTML