Is it possible to monitor SSL Certificate expiration using heartbeat without the CA certificate?

Hello,

I have to monitor the expiration of some SSL Certificates and was making some tests with heartbeat.

I know that if you have a http monitor using ssl and the ca certificate you will be able to have the expiration date of the certificate on the field tls.certificate_not_valid_after, something like that:

- type: http
  schedule: '@every 60m'
  tags: ["https"]
  urls: ["https://SITE:443"]
  ssl:
    certificate_authorities: ["/path/to/the/CA.crt"]

But I would need to have the CA certificate file on the server, I was wondering if it is possible to have a monitor that works like the check_http plugin from nagios, where you pass the site as a parameter and it returns the expiration date.

I'm a bit confused. Are you saying that your server doesn't send an x509 certificate when the TLS connection is established?

Yes, it does not send a certificate.

I want to get the expiration date of a site certificate, today I'm using a nagios plugin for it where I pass the site as a parameter, like below

[user@server plugins]$ ./check_http -H site.com --ssl --sni -C 90
SSL OK - Certificate 'site.com' will expire in 527 days on 2020-08-08 16:42 -0300/-03.

This brings me the expiration date of the certificate, and will mark as a WARNING if the date is less then 90, because of the parameter -C 90.

I do not need to have the certificate of site.com to do it.

I was planning to do the same with heartbeat, but if I do not have the site certificate on my machine and configured on the monitor, it will give me an error.

So, this is possible, but it's a bit different of a strategy.

My concern with marking a site down when its cert expires in X days is that it's not down yet.

The reason we built this without this feature is that you can query for sites expiring in X days using Elasticsearch or watcher. There's no need to hardcode that info in config files.

In the future, we'd like to make alerting on that condition easy using the new uptime UI, but we're not quite there yet.

What do you think of that plan?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.