Xymon does out-of-the-box monitoring of SSL-certificates. So for any
SSL-enabled service that is checked (
…1) by default the certificate is checked too and the result is shown in a
sslcert. For SNI (Server Name Indication)2 enabled
services extra care is required.
The following aspects of certificates can be checked:
The expiration date of the certificate (enabled by default): A warning or alarm is issued if the expiration date is reached. The options
--sslalarm=N(N in days) in xymonnet can be used to change the defaults (10/30 days).
The keysize of the public key (disabled by default): Enable with
--sslkeysize=Noption for xymonnet.
The bitsize of the encryption (disabled by default): Enable with
--sslbits=128for xymonnet or
sslbits=128on a per-host basis in
In case the default-behaviour is not suitable it can be disabled in a per-host
basis by putting the
nosslcert in the
hosts.cfg or globally by running
xymonnet with the
--no-ssl-option. To change the global xymonnet parameters
edit the call of xymonnet in section
It is possible to monitor individual certificates on SNI enabled services/sites, i.e. sites that have multiple certificates on one IP. This is very common (if not the default nowadays) with web servers using name-based virtual hosting.
The SNI support was added in Xymon v4.3.13 and enabled by default. In v4.3.14 the default was changed to disabled3. The disabled by default may in practice lead to the wrong certificate to be checked for “SNI sites” without a non-green indication.
Check the Common Name (CN) reported on the
sslcerts-column for new
certificates if unsure.
There are two ways to configure the SNI handling of Xymon:
- on a per host basis by adding
or (to get the behaviour of v4.3.13)
- globally by adding
offwhich is the default since 4.3.14) to the call of
There is a thread on the Xymon mailing list with in-depth analysis by Mark Felder of the various issues with SNI and the reasoning behind the defaulting to disable it by default.
If you are using the SSL certificate monitoring of Xymon and your services are SNI enabled you should check if your configuration is adjusted properly. Otherwise you may be monitoring the wrong certificates and end up with expired ones — without any non-green status in Xymon.
The default column name (
sslcert) for the certificate checks can be changed
--ssl=<test-name> for xymonnet.
An in-depth discussion of http-monitoring can be found in the article Advanced HTTP Monitoring With Xymon.
The man-page of xymonnet states that for
ldapsthere is no automatic certificate check but that does not seem to be the case any more.↩
In fact this triggered this post as this was (re-) brought to my attention lately the hard way (wrong cert checked due to
sni=offand thus expired cert in production).↩