The X509 Module for Icinga Web 2 is an additional Module which provides the ability to scan ip ranges and keeps track of certificates as they are deployed in a network environment.
The Module can be found here
Documentation can be found here
We admire everybody how can kindly provide further advice and usage options in 
written or 
visual form
Good afternoon… @dokon
I’m hoping there are others that have started using this module… I installed it today in hopes of being able to keep tabs on all of the webservers/certs. I’m not using director, so will come back later to host/service templates additions.
To go on with the basics… I imported my Root CA and Intermediate CA certs.
Then created a job to scan a subnet.
The results were: Only the Root CA and Intermediate CA info were displayed under Certificate Monitoring.
Next run, I inserted the web certs for my Icinga2 servers, and re-ran the scan.
(I should mention my icinga servers are using the same Root CA / Intermediate certs).
They now show up in the results.
I was expecting the module to find/report on any host running on port 443 (to include hosts with self-signed certs).
Question: Am I incorrect in assuming this? Why would I need to import certs for each host?
ANSWERING Myself: I found a blog on the internet where someone went into more detail on how to use the module… REF: https://www.claudiokuenzler.com/blog/820/monitoring-ssl-tls-sni-certificates-icingaweb2-x509-module (Props to him!) I was missing the “scan” option, which I either missed or it isn’t in your documentation.
sudo icingacli x509 scan --job vlan100
Another question: I noticed the “Certificate Usage” section is empty, should there be some content here?
ANSWERING Myself: This section populated after the scan!
Only issue remaining… 
Another issue/item of concern:
In your documentation you mention the x509 host check is already in the ITL, however a word search on “509” produces nothing. Were these removed or is there a way to reference them?
https://icinga.com/docs/icinga2/latest/doc/10-icinga-template-library/#x509
Sorry to keep asking the questions… but the CLI commands do not seem to produce output
What would I be missing?
This host is my icinga master (its a valid host)
[user@icinga01 certs 12980]$ sudo icingacli x509 check host --host icinga01.redacted.com
UNKNOWN - Host not found[user@icinga01 certs 12981]$ sudo icingacli x509 check host --host icinga01.redacted.com --port 443
UNKNOWN - Host not found
ANSERING Myself: Again, the “SCAN” command mentioned a couple posts up resolved this issue.
It should be mentioned/stressed how important the SCAN needs to be performed for other parts to function correctly.
[user@icinga01 certs 13003]$ sudo icingacli x509 check host --host icinga01
OK - icinga01.REDACTED.com expires in 1064 days|‘icinga01.REDACTED.com’=92002173s;23670000;9504000;0;94608000
Hi !
Thanks for using the x509 module.
You might have missed the Heading inside the Documentation but we have a Paragraph for Scan Jobs.
I hope this explains how to use this Option enough, if not please say what we could improve 
The link to the ITL template is a little bit ahead of time.
As far as i know it will be included in the coming months with a fresh release of icingaweb2 or with an separate refresh of the ITL itself.
Inside the github documentation you will find steps that describe how to create a command inside the Director to use it as a normal Host Check Command.
For the other command options see here:
Regards
David
Will be released with Icinga 2.11 next week. Some challenges within the network stack delayed the release after the RC.
For your self solved ‘icingacli
x509 check host --host icinga01’ issue if you like to have the full fqdn featured as in your try described please don’t hesitate to create an issue/feature request at the github page itself.
Best
David
Perfect and thanks. This will complete my deployment.
Hi team, my DevOps team finally automated the installation/configuration of the module on our pipelines and I was able to do the proper testing in my machine, it’s an awesome module but the feature that I needed right away is missing, pointed by Claudio as well, not be able to delete the records from the UI 
I had some issues but more related on how our environment is setup, besides that, it worked like magic.
Keep it up Icinga team.
This is more of a workaround for now, perhaps you can script this into your workflow.
I saw in this blog (mentioned above) the user performs a SQL query and deletes from the database
https://www.claudiokuenzler.com/blog/820/monitoring-ssl-tls-sni-certificates-icingaweb2-x509-module
mysql> DELETE FROM x509_target WHERE hostname = “myhostname.example.com”;
Yes, thank you fireheaman, but is my test environment for now, so, no need to push that into another environments at the moment. I will play more with this module this week. Have a nice day.
Hey Everyone,
I’m running into some issues using the x509 module.
I’ve setup a jobs.ini like the following - not actual name/subnet:
[example]
cidrs = "172.x.x.x/24"
ports = "443"
schedule = "0 0 * * *"
I imported the ca and ran the following for a scan:
icingacli x509 scan --job example
The scan runs for a minute or two without any input and no targets are found in the db?
MariaDB [x509]> SELECT * FROM x509_target;
Empty set (0.000 sec)
Any thoughts on what the problem might be? I also verified the cert on the host with openssl.
Thanks!
Hi !
Sorry for the late reply but did you check for the php recommendations > php 5.4 ?
Maybe some additional libraries are Missing like
php-pcntl (might already be built into your PHP binary)
php-posix (on RHEL/CentOS this is php-process, or rh-php7x-php-process)
php-sockets (might already be built into your PHP binary)
Just a bold guess from my side.
Regards
David
any update on your case? Was Davids shot in the dark helpful or is your issue still present?
Please let us know, If the issue has been solved. In case you have some new insight on your topic and the problem persists, please provide us with that information, so we can help you.
Regards,
Alex
Hi,
can I ask for help? I have the following problem and unfortunately I’m not getting anywhere. Module should be installed correctly.
Thanks a lot!
root@icinga:~# icingacli x509 import --file /etc/ssl/certs/ca-certificates.crt
PHP Fatal error: Class ‘Icingaweb2\Module\X509\Command’ not found in /usr/share/icingaweb2/modules/x509/application/clicommands/ImportCommand.php on line 11
Fatal error: Class ‘Icingaweb2\Module\X509\Command’ not found in /usr/share/icingaweb2/modules/x509/application/clicommands/ImportCommand.php on line 11
Hi !
Sure you can ask for Help.
As far as i would say from the PHP Error it is “not” correctly installed.
Can you specify where you have installed the module and with what kind of User Permisions ?
Also a icingacli module list output would be helpful for us.
Regards
David
Hello David, thank you!
I loaded the module from Icinga Github and installed it as root, it already appears in icinga without errors.
MODULE VERSION STATE DESCRIPTION
director 1.7.2 enabled Director - Config tool for Icinga 2
doc 2.7.3 enabled Documentation module
globe 1.0.4 enabled Globe 3D module
grafana 1.3.6 enabled Grafana - A perfdata visualisation module
incubator 0.5.0 enabled Incubator provides bleeding-edge libraries
ipl v0.5.0 enabled The Icinga PHP library
map 1.1.0 enabled Map - Visualize your hosts and service status
migrate 2.7.3 disabled Migrate module
monitoring 2.7.3 enabled Icinga monitoring module
nagvis 0.0.1 disabled Nagvis iframe.
pnp 1.0.1 disabled Timeseries grapher integration for PNP4Nagios
reactbundle 0.7.0 enabled ReactPHP-based 3rd party libraries
setup 2.7.3 disabled Setup module
vspheredb 1.1.0 enabled VMware vSphere DB
x509 1.0.0 enabled Scan and view X.509 certificate usage
Regards
Manuel
Thanks !
And what is the Base OS ? RHEL or Debian based ?
Oh Sorry, its Ubuntu 18.04.