Q: How I can be sure SSL certificate of monitored site is valid?
A: You can verify SSL certificate with a script. You would need a Linux computer with OpenSSL package installed (nowadays, this is default). Create a script (for the sake of example, we assume the location for the script is ~/bin (directory “bin” in home directory of current user).
Creating and setting up certificate checking script
1. Create a file ~/bin/test-site-certificate.sh and paste into it the following content:
#!/bin/bash
if [[ "z$1" == "z" ]]; then
echo "-1"
exit 0
else
TESTHOST="$1"
fi
openssl s_client -CApath /etc/ssl/certs/ -connect ${TESTHOST}:443 < /dev/null 2> /dev/null | grep 'Verify return code' | awk '{ print $4 }'
Note: the last command (starting with ‘openssl’) should be entered as single line.
Note: depending on your OS and its version, default certificates storage may be located in directory different from ‘/etc/ssl/certs’ (example: ‘/etc/pki/tls/certs’). Please refer to openssl manual pages to get actual location of local certificates repository.
2. After you have created the file, make it executable and test it in action:
chmod +x ~/bin/ ~/bin/test-site-certificate.sh www.google.com
If everything is configured properly, and there’s working Internet connection, the last command should print single digit 0.
3. Now add the host for the above Unix (Linux etc) server used in the above step and in “Main Parameters” section for it enter its Unix credentials to connect via SSH.
Now create new monitor for that host: New Monitor -> Custom Monitors -> SSH (Remote Script or Program). The monitor main parameters should look like this:
4. Run the monitor. For the given default parameter (www.google.com) it should return 0. To use it with actual domain to check, replace ‘www.google.com’ with domain name of your choice.
The script’s performance value, if certificate is OK, will be single digit 0. Non-null integer value will be output otherwise. Add, on “State conditions” tab, Warning and/or Down condition to raise alert if domain certificate isn’t valid. It is enough to use ‘>= 0’ single Down condition to do that.
Note: for self-signed certificates, if no valid local CA certificate is found in CA repository, error code 19 will most probably be returned.
Note: after you made and checked this monitor, you can make all monitors checking the site content depending on this one. That will ensure no checks are made if site’ security isn’t confirmed.
Certificate validation results
For your convenience, here are integer values the script will output if certificate is not valid – and their meaning. For more information please see this document: openssl verify.
| Code | Meaning |
|---|---|
| 0 | the operation was successful. |
| 2 | the issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete. |
| 3 | the CRL of a certificate could not be found. |
| 4 | the certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys. |
| 5 | the CRL signature could not be decrypted: this means that the actual signature value could not be determined rather than it not matching the expected value. Unused. |
| 6 | the public key in the certificate SubjectPublicKeyInfo could not be read. |
| 7 | the signature of the certificate is invalid. |
| 8 | the signature of the certificate is invalid. |
| 9 | the certificate is not yet valid: the notBefore date is after the current time. |
| 10 | the certificate has expired: that is the notAfter date is before the current time. |
| 11 | the CRL is not yet valid. |
| 12 | the CRL has expired. |
| 13 | the certificate notBefore field contains an invalid time. |
| 14 | the certificate notAfter field contains an invalid time. |
| 15 | the CRL lastUpdate field contains an invalid time. |
| 16 | the CRL nextUpdate field contains an invalid time. |
| 17 | an error occurred trying to allocate memory. This should never happen. |
| 18 | the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates. |
| 19 | the certificate chain could be built up using the untrusted certificates but the root could not be found locally. |
| 20 | the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found. |
| 21 | no signatures could be verified because the chain contains only one certificate and it is not self signed. |
| 22 | the certificate chain length is greater than the supplied maximum depth. Unused. |
| 23 | the certificate has been revoked. |
| 24 | a CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose. |
| 25 | the basicConstraints pathlength parameter has been exceeded. |
| 26 | the supplied certificate cannot be used for the specified purpose. |
| 27 | the root CA is not marked as trusted for the specified purpose. |
| 28 | the root CA is marked to reject the specified purpose. |
| 29 | the current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set. |
| 30 | the current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set. |
| 31 | the current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set. |
| 32 | the current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing. |
| 50 | an application specific error. Unused. |
