This is an old revision of the document!
Author | jccleaver |
Compatibility | Xymon 4.2.3 |
Requirements | perl, unix |
Download | None |
Last Update | 2015-11-09 |
Originating thread here: http://www.xymon.com/archive/2010/06/msg00148.html
A small script that checks “sslcert” tests and tries to verify that the common name (“CN=”) in the resulting ssl certificate matches the URL that we tried to reach (eg, https://secure.example.com/) It reports the status under a new test name, “sslname”. Wildcard certificates are taken into account, since we're matching using extended grep.
Client side
Server side
1. Copy the script into the ext/
directory (or wherever you're storing external scripts) and edit your tasks.cfg file by adding a new block:
# "sslname" runs the ssl certificate checker to verify that sslcert test results match
# the URL we tried to access
#
[sslname]
ENVFILE /etc/xymon/xymonserver.cfg
NEEDS xymond
CMD /etc/xymon/ext/sslname.sh
LOGFILE /var/log/xymon/sslname.log
- sslname.sh
#!/bin/sh
# sslname.sh v2
#
# Retrieve a list of all "sslcert" tests, which come out of any SSL-enabled
# check Xymon does using a built-in (probably https, but also things like imaps)
#
# After getting this list, we go through each one looking for the common-
# name that the certificate responded with, verifying that it matched the
# url we were trying to reach in the originating test. Normally this means
# the address for the http test, but it could be just the hostname in the event
# of another SSL service.
#
# Japheth Cleaver <cleaver@terabithia.org>
# No warranty. YMMV. Use at your own risk.
#
# First pass: 2010-08-02
# http://xymonton.org/monitors:sslname.sh
#
# v2 2012-04-27 -- update from hobbit -> xymon and optionally use "modify"
# instead of our own status
[ -z "$XYMON" ] && -x /usr/bin/xymoncmd && exec /usr/bin/xymoncmd $0 $*
# Set some defaults - I'm running this from xymonlaunch, YMMV
[ -z "$TESTNAME" ] && TESTNAME=sslname
[ -z "$XYMSRV" ] && XYMSRV=0.0.0.0
[ -z "$COLOR" ] && COLOR="clear"
[ -z "$XYMON" ] && XYMON=/usr/bin/xymon
# Modify the sslcert test result, or create our own?
# MODIFY=1
# Get a list of all valid sslcert tests
SSLHOSTS="`$XYMON $XYMSRV \"xymondboard test=sslcert fields=hostname\"`"
[ -z "$SSLHOSTS" ] && exit 0
# Loop over them and compare the common name with any URL we can find
for THISHOST in $SSLHOSTS ; do
# Return the details of this host's sslcert data, unescaping on the way
SSLDATA="`$XYMON $XYMSRV \"xymondboard host=^$THISHOST test=sslcert fields=hostname,msg\" | perl -pe 's/>/>/g, s/</</g, s/&/&/g;' -e 's/\\\n/\n/g;'`"
THISCOMMA="`echo $THISHOST | sed -e 's/\./,/g'`"
# Find the common name...
# TODO: We should loop over all common names and try to figure out what the relevant URLs are below
# For now, we sort and take the first one.
COMMONNAME="`echo \"$SSLDATA\" | grep CN= | perl -pe 's/^.*CN=([\w\.\-\*]+).*$/\1/' | sort | uniq | head -n 1`"
if [ -z "$COMMONNAME" ] ; then
echo "Couldn't find a 'common name' for $THISHOST..." >&2
continue
fi
# echo " -- Common name for $THISHOST is '$COMMONNAME'"
# Isolate what hostname we were trying to access and store as URL,
# if found. The HUMANURL is the full string, including any port number
export URL="`echo \"$SSLDATA\" | grep -c https://`"
if [ $URL -eq 1 ] ; then
# Great, a simple https address to look at
URL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*https://([\w\.\-]+)(:\d+)?/.*$#\1#'`"
HUMANURL="`echo \"$SSLDATA\" | grep https:// | perl -pe 's#^.*(https://[\w\.\-]+(:\d+)?/).*$#\1#'`"
else
URL=$THISHOST
HUMANURL=$THISHOST
fi
ISMATCH="`echo $URL | grep -cE $COMMONNAME`"
# Check if we're just modifying the existing status
if [ -n "$MODIFY" ] ; then
[ $ISMATCH -ne 1 ] && $XYMON $XYMSRV "modify ${THISCOMMA}.sslcert red $TESTNAME Certificate $COMMONNAME does NOT match $HUMANURL"
continue
fi
# Build our Xymon report
if [ $ISMATCH -eq 1 ] ; then
STATUS="SSL cert ok"
COLOR="green"
BODY="&green $HUMANURL matches certificate $COMMONNAME"
else
STATUS="SSL cert name MISMATCH"
COLOR="red"
BODY="&red $HUMANURL does NOT match certificate $COMMONNAME
<A HREF=\"$XYMONWEBHOST$XYMONSERVERCGIURL/svcstatus.sh?HOST=$THISHOST&SERVICE=sslcert\">See 'sslcert' test results</A>"
fi
# Send results to Xymon
$XYMON $XYMSRV "status ${THISCOMMA}.${TESTNAME} ${COLOR} `date` - ${STATUS}
${BODY}"
done
# fin
exit 0
Known Bugs and Issues
This is targeted mainly at https:// tests; YMMV with “sslcert” results from other types of tests (imaps, smtps, pop3s, etc).