We’re monitoring several websites for http and https response-times - and also wether the certificate is valid. All those service checks are executed via the “check_http” plugin from the monitoring-plugins collection.
We ran into an issue, where a certificate was technically still valid - but got accidentally revoked by the issuing CA. Browsers seem to periodically fetch the certificate revocation lists (CRL), some still showed the website - others started to complain about the revoked certificate.
Our https-checks via Icinga2 did not detect this problem at all and that’s what bugs me about this case.
Now I’m wondering how to check for revoked certificates with Icinga2. I’ve looked at the parameters of the check_http plugin (https://www.monitoring-plugins.org/doc/man/check_http.html) but couldn’t find anything related.
How would you monitoring for certificates against the CRL of the issuer?