cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

SSL Certificate Expiration - SNI capable

SSL Certificate Expiration - SNI capable

For those that deploy SNI when hosting websites you've probably discovered that monitoring the SSL certificate expiration only shows the first certificate in the list.

This check was designed to match the certificate Common Name (CN).

I created an external node for thwack.solarwinds.com

pastedImage_0.png

The powershell scripts pulls the node name and returns the number of days until it expires. It also prints more details in the Statistic Message.

UPDATED: Inluded the Certification Authority into the statistic message detail.

pastedImage_1.png

I also created this SSL report that can be imported.

SSL Certificate Expiration - SNI Capable Report.xml

*Updated - 1/25/2016 - Fix bug when no CA was present in the certificate.

*Updated - 3/21/2018 - Updated script significantly to allow for TLS 1.2 only connections. Thanks for the assist sstark85​!

Labels (1)
Attachments
Comments

Awesome!!

If I say more, it will belittle how awesome this is

How would I convert this XML file to an application monitor?

nicksw​ you'd go to your app template page and import the file.

I'm having trouble getting this template working.  I've applied it to an external node and when I run it or edit the script to get output, I receive the following.  No authentication is required when accessing the site, so I'm not sure what else to do.  It doesn't appear there's much to do as far as configuration on the component.  Any advice?

Get Output Failed:

Output: ==============================================
Exception calling "AuthenticateAsClient" with "1" argument(s): "Authentication failed because the remote party has closed the transport stream."
Message : Error occurred connecting to www.WEBSITENAME.com, Code: Exception calling "AuthenticateAsClient" with "1" argument(s): "Authentication failed because the remote party has closed the transport stream.".exception.innerexception.message
Statistic : 0

I believe the issue is with sites that only support TLS 1.2.  This is just based on me feeding in a few different sites that I know support only 1.2 and others that support less than 1.2.  Not sure what work would be necessary in order to explicitly support 1.2, as this is likely a PowerShell limitation, but I wanted to point it out.

Thanks

Thanks for the heads up. Are any of your sites publicly accessible? If so, would you mind sending me a private message of one of them? I can see if there is something that could be added into the script to explicitly support TLS 1.2 only sites.

Thanks Chad, I've sent you a PM.

I was able to solve the TLS 1.2 issue with a different .net class. If you want to update your template that would be great. If not I will publish a new one if I don't hear back from you.

$HostName = $args[0]

#Get the Current Date and Time

$CurrentDT = Get-Date

#To support SNI, TLS1.2 needs to be forced

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::SSL3, [Net.SecurityProtocolType]::TLS12

try{

    $req = [Net.HttpWebRequest]::Create("https://$HostName")

    $req.GetResponse()

}

Catch{

    write-error "Couldn't connect to $HostName - $($error[0].exception.message)"

}

if (!($req.ServicePoint.Certificate)) {

    write-error "No Certificate returned on $HostName"

}

$req.Abort()

$certinfo = $req.ServicePoint.Certificate

$returnobj = @{

        HostName = $HostName;

        Subject = $certinfo.Subject;

        Thumbprint = $certinfo.GetCertHashString();

        Issuer = $certinfo.Issuer;

        SerialNumber = $certinfo.GetSerialNumberString();

        Issued = [DateTime]$certinfo.GetEffectiveDateString();

        Expires = [DateTime]$certinfo.GetExpirationDateString();

}

#Get the Expiration Time Left

$TimeLeft = New-TimeSpan –Start $CurrentDT –End ($returnobj.Expires)

Write-Host 'Message.CommonName:' $returnobj.Subject

Write-Host 'Statistic.CommonName:' 0

Write-Host 'Message.Thumbprint:' $returnobj.Thumbprint

Write-Host 'Statistic.Thumbprint:' 0

Write-Host 'Message.CreationDate:' $returnobj.Issued

Write-Host 'Statistic.CreationDate:' 0

Write-Host 'Message.ExpirationDate:' $returnobj.Expires

Write-Host 'Statistic.ExpirationDate:' $TimeLeft.Days

I'll work on getting this updated. thx!

Hi chad.every​,

Initially i was using the old version of this template so for nodes using TLS 1.2 the monitor was not working as expecteds and was showing down, but with the Updated version they are in GREEN state now.

It was working perfectly fine till but it went down for 20 mins and created a critical ticket, however the certificate was still not even close to expiring with the following error.

for Exception calling "GetResponse" with "0" argument(s): "The request was aborted: Could not create SSL/TLS secure channel.", Node.Caption: XXXXXXX.

Expires in -1 days.

Now i was wondering if following could be the cause for this false Positive:-

1.) In initial version we made use of NodeName variable  as an Argument but here in  the updated version  we didn't use any arguement.

2.) For few nodes we don't use the complete name as in Nodename.Domainname rather we just use Nodename. (Wondering if this can be a cause)

But the noticeable point here is the monitor is again showing green, had that been the cause it would still be in DOWN state, could you please with suggestion in order to avoid the False positives.

sstark85

   I was getting the same issue and it got fixed with the solution provided by you, thanks a ton!!

It was pending from a long time.

Thanks you so much sstark85​ and chad.every​ .

Regards

Rahul Bajpai

This is answered by sstark85​ 

I'm running both the application template, downloaded today, applied to 4 hosts with SNI.  The application template is running awesomely.  However the report you link to, which was also downloaded today, o does not return any of the results.  What am I doing wrong?

Hello Chad,

As i am new to Solarwinds monitoring, i am not able to see option SSL Certificate Expiration - SNI Capable in Create Template... Can you please give me Step by step configuration. I was able to see SSL Certificate Expiration Date Monitor and it does not show SNI capable.

NPM veriosn is 12.2 and SAM version is 6.4

Thanks in Advance..

vakarkare​, There are two ways to import this SSL SNI template.

1. Download the file by clicking the download link at the bottom of the original post. Or this is the direct link. You would then need to import it into SAM. This article outlines the steps needed to do that.

2. Or, you can import it directly in SAM. This article shows how that can be done, start with the section that is titled Import a Template.

Hello Chad,

Thank you for quick reply. Did the same as instructed and the template got added in SAM.

When I am testing with SSL - SNI template it gives below message.

Get Output Failed:

Output: ==============================================
Exception calling ".ctor" with "2" argument(s): "No such host is known"
Message : Error occurred connecting to xxx.xxx.xxx.xx. , Code: Exception calling ".ctor" with "2" argument(s): "No such host is known".exception.innerexception.message
Statistic : 0

As this SSL URL have multiple certificate. But when tested in Nagios Monitoring it showed the exact result

Do I just replace the script that you (sstark85) posted, in to the one I downloaded from this site by Chad, and delete the original contents of script?  When I test, its successful, but nothing is showing.  It doesn't report back anything regarding the certificates.

Output: ==============================================

Message.CommonName:

Statistic.CommonName: 0

Message.Thumbprint:

Statistic.Thumbprint: 0

Message.CreationDate:

Statistic.CreationDate: 0

Message.ExpirationDate:

Statistic.ExpirationDate:

Errors: ==============================================

Here is a sample of the test results, that shows it cant connect to host, but test is successful.

Write-Host 'Statistic.ExpirationDate:' $TimeLeft.Days

: Couldn't connect to MYSERVER - Exception calling "GetResponse" with "0" argument(s): "The underlying connection was closed: An unexpected error occurred on a send."

+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException

+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException

Who can i monitor installed certificates expiry on single node. as per out of box templates i am able to monitor only one certificate from all of them.

I just applied this to a server to test, it comes back with status unknown but does deliver the output.  Any thoughts as to why or how to fix it.

This is the error I get -

ND Get Output Failed:

Output: ==============================================
Exception calling "AuthenticateAsClient" with "1" argument(s): "The client and server cannot communicate, because they do not possess a common algorithm"
Message : Error occurred connecting to machinename, Code: Exception calling "AuthenticateAsClient" with "1" argument(s): "The client and server cannot communicate, because they do not possess a common algorithm".exception.innerexception.message
Statistic : 0

Version history
Revision #:
1 of 1
Last update:
‎10-09-2015 10:50 AM
Updated by: