Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expanded and extended options for sslcert #52

Closed
riahc3 opened this issue Nov 7, 2019 · 1 comment
Closed

Expanded and extended options for sslcert #52

riahc3 opened this issue Nov 7, 2019 · 1 comment
Labels
invalid

Comments

@riahc3
Copy link

riahc3 commented Nov 7, 2019
edited
Loading

Hello

Wanted to add some tips on checking sslcert

  • Instead of rather naming the certificate , I think the check should go against a IP and a port. Directing towards something that might change such as a certificate key-pair name or a certificate thumbprint is not a good practice while aiming directly at a IP (or FQDN) and a port is a better practice.

  • More detailed output. Even if returning a OK, I think the days left should still be shown. Hell, Id go as far as saying showing the days left AND the date it expires. This allows a quick view on seeing if it expires on a weekday or weekend.

  • Additionally checks such as if the self sign cert (if it is a self sign) has a valid CA on the Netscaler

Those are my thoughts.

Thanks
@slauger
Copy link
Owner

slauger commented Nov 7, 2019

Hi riahc3,

thank you very much for your feedback.

Instead of rather naming the certificate , I think the check should go against a IP and a port. Directing towards
something that might change such as a certificate key-pair name or a certificate thumbprint is not a good practice
while aiming directly at a IP (or FQDN) and a port is a better practice.

The orginal idea of the sslcert subcommand was to create a check command, which allows to check all installed ssl certificates with a single command. This allows monitoring of all ssl certificates on the ADC, w/o the need to update the monitoring when a new certificate is deployed. This is especially useful in "classic enterprise environments", where the monitoring people and the ADC people are working in different departments.

The command fully relies on the information from the api response. There are a bunch of other (and better) monitoring plugins wich do SSL testing via TCP/HTTP (e.g. check_http). I don't want to reinvent the wheel here and keep focusued on the NITRO api.

More detailed output. Even if returning a OK, I think the days left should still be shown. Hell, Id go as far as saying
showing the days left AND the date it expires. This allows a quick view on seeing if it expires on a weekday or weekend.

That shouldn't bee a great problem. Are you able to provide a patch for this?

Additionally checks such as if the self sign cert (if it is a self sign) has a valid CA on the Netscaler

Why do we need a the CA of a certificate on the NetScaler? Do you mean a validation of the chain? The NetScaler by default trust no one.

Cheers, Simon

@slauger slauger closed this as completed Sep 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@riahc3 @slauger