Xymon does out-of-the-box monitoring of SSL-certificates. So for any SSL-enabled service that is checked (https, pop3s, imaps, ldaps, …1) by default the certificate is checked too and the result is shown in a separate status sslcert. For SNI (Server Name Indication)2 enabled services extra care is required.

The following aspects of certificates can be checked:

  • The expiration date of the certificate (enabled by default): A warning or alarm is issued if the expiration date is reached. The options --sslwarn=N and --sslalarm=N (N in days) in xymonnet can be used to change the defaults (10/30 days).

  • The keysize of the public key (disabled by default): Enable with --sslkeysize=N option for xymonnet.

  • The bitsize of the encryption (disabled by default): Enable with --sslbits=128 for xymonnet or sslbits=128 on a per-host basis in hosts.cfg.

In case the default-behaviour is not suitable it can be disabled in a per-host basis by putting the nosslcert in the hosts.cfg or globally by running xymonnet with the --no-ssl-option. To change the global xymonnet parameters edit the call of xymonnet in section [xymonnet] of tasks.cfg).

SNI support

It is possible to monitor individual certificates on SNI enabled services/sites, i.e. sites that have multiple certificates on one IP. This is very common (if not the default nowadays) with web servers using name-based virtual hosting.

The SNI support was added in Xymon v4.3.13 and enabled by default. In v4.3.14 the default was changed to disabled3. The disabled by default may in practice lead to the wrong certificate to be checked for “SNI sites” without a non-green indication.

Check the Common Name (CN) reported on the sslcerts-column for new certificates if unsure.

There are two ways to configure the SNI handling of Xymon:

  • on a per host basis by adding sni or nosni in hosts.cfg

or (to get the behaviour of v4.3.13)

  • globally by adding --sni=on (or off which is the default since 4.3.14) to the call of xymonnet in tasks.cfg.

There is a thread on the Xymon mailing list with in-depth analysis by Mark Felder of the various issues with SNI and the reasoning behind the defaulting to disable it by default.

Final Words

If you are using the SSL certificate monitoring of Xymon and your services are SNI enabled you should check if your configuration is adjusted properly. Otherwise you may be monitoring the wrong certificates and end up with expired ones — without any non-green status in Xymon.

The default column name (sslcert) for the certificate checks can be changed with the --ssl=<test-name> for xymonnet.

An in-depth discussion of http-monitoring can be found in the article Advanced HTTP Monitoring With Xymon.

  1. The man-page of xymonnet states that for ldaps there is no automatic certificate check but that does not seem to be the case any more.

  2. See Wikipedia article for more background information.

  3. In fact this triggered this post as this was (re-) brought to my attention lately the hard way (wrong cert checked due to sni=off and thus expired cert in production).