How to monitor for revoked TLS certificates?

Hi

We’re monitoring several websites for http and https response-times - and also wether the certificate is valid. All those service checks are executed via the “check_http” plugin from the monitoring-plugins collection.

We ran into an issue, where a certificate was technically still valid - but got accidentally revoked by the issuing CA. Browsers seem to periodically fetch the certificate revocation lists (CRL), some still showed the website - others started to complain about the revoked certificate.
Our https-checks via Icinga2 did not detect this problem at all and that’s what bugs me about this case.

Now I’m wondering how to check for revoked certificates with Icinga2. I’ve looked at the parameters of the check_http plugin (https://www.monitoring-plugins.org/doc/man/check_http.html) but couldn’t find anything related.

How would you monitoring for certificates against the CRL of the issuer?

Best wishes,
Mario

Hi,

maybe the certificate monitoring module can be of help here?

Cheers,
Michael

Hi,

I’m afraid that revocation isn’t checked by the usual service check scripts or even the X509 certificate module for Icingaweb2.

Revocation checking can be done on serveral ways, i.e by downloading the certificate revocation list (CRL) from a server provided by the issueing CA or by using OCSP (also done by browsers).
You should find the URL for CRL/OCSP within the certificate, this can be a http, https or ldap link.
The checking scripts need access to this URL and the access protocol must be implemented.
OCSP checks can be done by openssl or other tools, ask the search engine of your choice :wink:

Regards,
Manfred

1 Like

Did you try check_ssl_cert ?

4 Likes

+1 for check_ssl_cert and OCSP.
Does the job for us!

/George

Thanks to all of you!
I think that check_ssl_cert with activated OCSP flag looks like the solution.

2 Likes