DX Unified Infrastructure Management

Hi all,

I'm looking into monitoring expiring certificates on Servers.

I'm set up an alarm that gives me the expiration date and time, but need a little help on getting this value into LUA and comparing it to todays date, then, if less than 14 days - alert.

Here's my command to look up the expiration date:

echo | openssl s_client -connect dashboards.mds-ms.net:443 2>/dev/null | openssl x509 -noout -dates

The output of this command is generating an information alarm that states:

notAfter=Sep 19 13:38:11 2015 GMT

Thanks in advance!

It appears that the url_response probe has this inbuilt!

Brilliant!

It does, but unfortunately it wonly works with http servers.

-jon

Ah your right, it does only do HTTP

Is there anything in LUA I could do to compare the dates and create an alarm?

I'm trying to manipulate the example LUA script called "example-time-functions" but need a little help on transferring the date as a variable into the script.

If I create an informational alarm using logmon and the following command:

echo | openssl s_client -connect dashboards.mds-ms.net:443 2>/dev/null | openssl x509 -noout -dates

Then pass this alarm through a script to compare the expiry date to(the date) now / today, and count it down.

Cheers,

Sam

If you want to go that way, you could do it with timestamp.diff:

timestamp.diff ( StartTimeStamp [, Format [, EndTimeStamp ] ] )
Returns the difference (seconds, minutes,hours or days) between the EndTimeStamp ( or now if not provided ) and the StartTimeStamp using the Format specifier (seconds, minutes, hours,day)

However, that would be kind of an awkward solution in my opinion. There's a LUA probe around the community that uses openssl to check certs and alert, and probably QoS too.

If you want to go with logmon, I' d suggest you use the "-checkend <seconds>" argument with openssl, like so:

user@centos:~$ echo | openssl s_client -connect mail.google.com:443 2>/dev/null | openssl x509 -checkend 10000000
Certificate will expire
user@centos:~$ echo $?
1
user@centos:~$ echo | openssl s_client -connect mail.google.com:443 2>/dev/null | openssl x509 -checkend 1000000
Certificate will not expire
user@centos:~$ echo $?
0

As you can see, you can then easily catch either the message, or the exit code with logmon.

-jon

Cheers Jon,

The logmon option looks like a much better solution.  Is there a similar command for windows servers that you know of?

Thanks,

Sam

https://na4.salesforce.com/articles/FrequentlyAskedQuestions/Certificate-expiration-monitoring?popup=true

Thanks Alquin,

Are there any documents to support this probe?

I'm getting the following in the log file:

Aug 26 12:48:41:273 CertificateExpirationCheck: (do_work) - calling process_url; url = adsl1.mds-ms.net profile = adsl1.mds-ms.net

Aug 26 12:48:41:273 CertificateExpirationCheck: (process_url) - calling process_url; url = adsl1.mds-ms.net profile = adsl1.mds-ms.net

Aug 26 12:48:41:273 CertificateExpirationCheck: (process_url) - Run openssl s_client to get certificate

Aug 26 12:48:41:304 CertificateExpirationCheck: Certificate file size: 0

Aug 26 12:48:41:304 CertificateExpirationCheck: (process_url) File size 0 Unable to get certificate for profile: adsl1.mds-ms.net url: adsl1.mds-ms.net

Unfortunately there is nothing that I am aware in terms of documentation. It works for some certificates and not for others. It is just a bunch of Lua code and I need a similar solution to what you are describing so I plan to review and take a look at it when I have time but unfortunately that is not the case right now.

To access this URL, do we need to have an ID in salesforce? Please advice. Even I am trying to monitor a certificate expiry that is a non http one.

-kag

You could just go ahead and use openssl on Windows, nothing to prevent it. You could do it with powershell as well, but openssl is probably easier.

-jon