We have HTTPS services running on Windows and Linux servers, using a variety of ports in the ranges 8000 to 15000.
We want to monitor the SSL certificates used for these HTTPS services, but there are network firewalls between the Icinga pollers (satellites) and the servers running the Icinga agent.
We sure do not want to define a generic rule in the firewalls that allows traffic on all ports. We also do not want hundreds of specific rules, one per port to monitor. In short, we want the checks to be run on the agent.
For the Linux servers, no problem, we even have the choice between several plugins to achieve the checks.
For the Windows servers, we are still looking for a plugin that would allow the monitoring of the certificates.
Nota Bene: We are using the Icinga Agent for Windows, not the full Icinga for Windows.
If anyone has a suggestion of an existing plugin, or a way to implement this, we would be very grateful.
Why not allow only the satellites access to all ports?
Allowing the monitoring access to all ports doesn’t seem to generic for me as only selected hosts are allowed to do this and only in there network segment.
I specifically avoid to check HTTPS locally as it needs to work from other systems not just over loopback.
For monitoring SSL certificates on Windows servers without opening all ports, you can use a custom script with the check_ssl_cert plugin, which can be run locally on the Icinga Agent. While Icinga’s default set of plugins doesn’t have a dedicated SSL certificate check for Windows, you can write a PowerShell script that uses the Get-Help command or an existing open-source tool like OpenSSL (if installed on Windows). This script could be executed on the agent to fetch and check the SSL certificates for expiration or validity on specific ports. You can then integrate this custom script into your Icinga checks. Let me know if you need help with the script!
In our institution, security is a major concern. We have hundreds of application servers located in many subnets, and using a variety of TCP ports.
I do understand the source in the FW rule would be limited to the satellites. However, the range of destinations would be very large (requiring multiple firewalls to be opened), and the number of ports very high. Hence the reluctance, and the desire to find an agent-based solution.
Now, I can live with the fact nothing exists that could be reused, in which case we’ll need to evaluate what direction we want to go: write a plugin, or open the firewalls.
Well, Invoke-IcingaCheckCertificate can evaluate local certificates and you might be able to build check_curl on windows.
If that does not suffice developing a custom plugin might be the way to go.
It sounds like, you could have a third option, more satellites(one per subnet).
But I guess, if I would be in your place, I would write a plugin or commission it from the @Linuxfabrik.
We would love to migrate check_http to Python, as well as adding TLS 1.3 and HTTP/2 support. As it would be written in Python, it would be OS-independent. This has been on our roadmap for a while, but we have yet to find a sponsor.