20 Replies Latest reply on May 14, 2018 7:29 PM by imcguinness

    nodes for URLs at same location

    imcguinness

      Hi,  I have an SSL certificate monitor up and running and it's working well for servers that have one URL.  e.g. server x1.company.com has website w1.company.com .

      what i need to do now is monitor several other URLs that are hosted on the one server.

      e.g. server x1.company.com hosts w1.company.com, w2.company.com.au & w3.company.com.au.  all at the same IP but all with different SSL certs

      When i add an external node for w1.company.com it actually creates a node for x1.company.com with a dns of w1.company.com

      Testing on this node fails as the URL isn't correct for the site

      I can also not then add w2.company.com as an additional node.

       

      Is there a way to create a node that only has the W1.company.com URL and doesn't tie up the IP address for other URLs?

       

      I'll have a proper WMI node for the host itself to monitor the server.

       

      Thanks

      Ian

        • Re: nodes for URLs at same location
          m-milligan

          If you have enough polling engines, you can add each DNS name as a node on a different polling engine.

           

          What I often do in this case is add one node for the actual server that hosts the URLS. I then add an app monitor (HTTP, HTTP, SSL certificate, etc.) for each URL hosted on that server. So you'd have a WMI node for your server, then several SSL certificate monitors:

          w1.company.com

          w2.company.com.au

          w3.company.com.au

            • Re: nodes for URLs at same location
              imcguinness

              Hi, That sounds like a plan.

              I have the server as a node and i have my SSL template but i can't seem to see how to make the template look at a specific URL.

              I'm using the original template from SW as the basis to my template.

              Any hints or screen grabs appreciated.

              Thanks

              Ian

                • Re: nodes for URLs at same location
                  m-milligan

                  Apologies for the oversight. Here is a custom application monitor template that will do what you need:

                   

                  SSL Certificate Expiration with SNI for specified hostname

                   

                  This app monitor will let you specify the host name for which you want to check the certificate. The monitor will hit the URL "https://(hostname you specified)" and compare that hostname with the FQDN in the certificate that comes back from the site. If they match, it has a status of OK/Up and it shows the number of days remaining on the certificate. If they don't match, it will have a status of Critical.

                   

                  Many thanks to chad.every for creating the app monitor template "SSL Certificate Expiration with SNI", which was the basis for my template.

                  2 of 2 people found this helpful
                    • Re: nodes for URLs at same location
                      imcguinness

                      Thanks a lot for the link. Really appreciate it.

                      Now for the dumb questions..  ready?  here we go.

                      1) where/how do i specify the URL that i want to test?
                      I can see the line in the script that has WebRequest -> $WebsiteDomain and that $WebsiteDomain -> $args[0] and it looks like the arg is node.dns which would work for a node that only has one url on it but what if the node hosts 10 urls?

                      2) as a solution for the above i'm guessing that i put the URL i want to test in the script arguments field.
                      Does that mean that i need to duplicate the template for each URL on my list?

                      3) lastly, once the template is assigned to the required node(s) would i trigger the alert is a similar way that my old check did?
                      e.g.

                      Thanks for your help and understanding for someone thats learning as I go.

                      Ian

                        • Re: nodes for URLs at same location
                          chad.every

                          So what would be the easiest is edit the template and add several powershell component monitors. Edit the script argument section with the fqdn of the ssl cert you wish to monitor.

                           

                           

                          The template that I have out there has a few of those component monitors already added. Or you can keep using the template that m-milligan created and add the powershell monitors and copy/paste the script.

                          SSL Certificate Expiration - SNI capable

                          2 of 2 people found this helpful
                          • Re: nodes for URLs at same location
                            m-milligan

                            (1) You would specify the hostname in the "Script Arguments" field. The script will build a URL from the host name. If you want to test the certificate at "https://myserver.mycompany.com/", you'd put myserver.mycompany.com in the Script Arguments field.

                             

                            (2) I would just assign the template for each URL you want to test, so you'll have multiple instances of the template assigned to your external node. You can also do it as chad.every suggests - add more PowerShell component monitors, and copy the script into each of them. I like my approach because it's less cutting and pasting. Both approaches will accomplish what you need though - testing the URLs and reporting on the status of the certificate.

                             

                            (3) It will trigger an alert the same as the out-of-the-box SSL Certificate monitor. That is, it will:

                             

                            (a) Have a status of "Down" if it can't connect to the host at all.

                            (b) Have a status of "Warning" or "Critical" if the number of days remaining on the certificate is less that the thresholds (by default, <90 days remaining sets the status to Warning, <30 days remaining sets the status to Critical).

                            (c) Have a status of "Critical" if the certificate subject does not match the host name in the Script Arguments field.

                            2 of 2 people found this helpful
                            • Re: nodes for URLs at same location
                              imcguinness

                              First off i'd like to say, without getting weird, love you guys..  I'm learning so much from these forums.

                              Now, just to confirm that i understand/extrapolated correctly,

                              If i had a situation like this:

                              Node1 hosts website 1, 2 & 3

                              Node2 hosts website 4, 5 & 6

                              I could either have 2 copies of the template with 3 copies of the PowerShell component monitors for each website and assign the template to the correct node

                              OR

                              have 6 copies of the template (one for each website) and assign them to the appropriate node.

                               

                              I'f i went with option 1, does it alert on each website individually?

                              i.e. If website 1 went into warning today and it gave an alert but i haven't replaced the cert yet (so it's still in warning mode) and then website 2 went into warning tomorrow will it still trigger the 2nd alert or would it say the template is already in warning status and not fire a new alert?

                              I think it will fire the alert as i have a windows service template that does but i wanted to be sure.

                                • Re: nodes for URLs at same location
                                  m-milligan

                                  You only need one copy of the template. You'd just assign it 3 times to each node, like this:

                                   

                                  Node 1

                                  Assign template, configure it for website 1

                                  Assign template, configure it for website 2

                                  Assign template, configure it for website 3

                                   

                                  Node 2

                                  Assign template, configure it for website 4

                                  Assign template, configure it for website 5

                                  Assign template, configure it for website 6

                                   

                                  Or you could make a copy of the template and add Powershell component monitors as described previously. Assign that template to your node, and edit as many components as you need for website monitoring. If there are unused components, just disable in the app monitor that you just created.

                                   

                                  If you have one app monitor watching multiple sites, then the app monitor will trigger an alert when any one of those sites fails. If you configure one monitor per site, then only the monitor for that site will trigger an alert if the site fails. I tend to take this approach because it's easier to see at a glance which site has a problem. I don't need to drill into the app monitor to see which component has a problem.

                                    • Re: nodes for URLs at same location
                                      imcguinness

                                      Oh, cool.  I didn't realise i could apply overrides to the template once it was assigned to a node.

                                      I have tried both templates applied to the (internal server but setup as an external) node and overridden the arg to be one of the sites on the server and both are failing to connect to the site.

                                       

                                      chad.every 's version when tested returns :

                                      COMPONENT TEST RESULT DETAILS

                                      Output: ==============================================

                                      Exception calling ".ctor" with "2" argument(s): "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 123.123.0.123:443"

                                      Message : Error occurred connecting to site.domain.com.au, Code: Exception calling ".ctor" with "2" argument(s): "A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 123.123.0.123:443".exception.innerexception.message

                                      Statistic : 0

                                       

                                      and m-milligan 's version gave :

                                      Output: ==============================================

                                      Statistic: -1

                                      Message: Exception calling "GetResponse" with "0" argument(s): "Unable to connect to the remote server", Hostname: site.domain.com.au

                                       

                                      Bringing the site up manually works and the cert is valid till 9th of November 2019

                                      Should this work no matter what type of cert it is using?

                                      Is there any key details i should be looking at?

                                      The default SSL cert check works for any of my sites that are one to one for the node.  e.g. node x.domain.com hosts website x.domain.com  and the certs should all be of the same type.

                                       

                                      Ian

                                        • Re: nodes for URLs at same location
                                          m-milligan

                                          Are there any firewall rules that would prevent your polling engine(s) from getting to the base URLs for those domains? If you open a browser on the polling engine that handles this app monitor, can you browse to (for example) https://123.123.0.123:443 ? If you can, does the browser throw up any warnings about the certificate, etc.?

                                           

                                          Can you post a screenshot of the configuration of one or both app monitors, please?

                                            • Re: nodes for URLs at same location
                                              imcguinness

                                              Hmmm..  it looks like there was a local firewall rule was blocking the SolarWinds server from getting to the site(s) even tho they are on the same subnet and domain and my PC was on a different subnet.

                                              Anyway, that's fixed.

                                               

                                              I tested the two templates again,

                                              Chad's version gave :

                                              SSL Certificate Expiration - SNI capable

                                              Output: ==============================================

                                              Message : Website: site.domain.com.au, Certificate Expiration: 11/09/2019 14:55:21, Common Name: CN=site, Certificate Authority: Unable to parse Certificate Authority

                                              Statistic : 554

                                               

                                              your version gave :

                                              SSL Certificate Expiration with SNI for specified hostname

                                              Output: ==============================================

                                              Statistic: -1

                                              Message: Exception calling "GetResponse" with "0" argument(s): "The remote server returned an error: (401) Unauthorized.", Hostname: site.domain.com.au

                                               

                                              Both my PC and the SolarWinds server are unauthorized to access this site but should still get a web page saying that.

                                              When testing in a browser they both get the info page with the correct cert.

                                                • Re: nodes for URLs at same location
                                                  HolyGuacamole

                                                  If the web platform is IIS, you can simply use the AppInsight for IIS template. It monitors all the associated certs via the template. You will find an example below

                                                   

                                                  http://oriondemo.solarwinds.com/Orion/APM/IisBlackBox/IisSiteDetails.aspx?NetObject=ABIS:140

                                                  • Re: nodes for URLs at same location
                                                    m-milligan

                                                    I suspect that both templates are encountering the same error, just reporting it differently. I also suspect that this is a symptom of the difference between a browser requesting a web page and a Powershell script calling a web page. You mentioned that your PC isn't authorized. The browser handles that error gracefully - it shows you the info page and lets you examine the certificate details anyway. The Powershell web request isn't as graceful - it sees the error code coming back from the server and throws up its hands. Is it possible to test the scripts from an authorized host?

                                                    • Re: nodes for URLs at same location
                                                      m-milligan

                                                      Try the new template I posted here: SSL Certificate Expiration for specified URL any HTTP response

                                                       

                                                      This template will try to read the certificate details even if the server returns an HTTP status that is not 200/OK. This will let you check the certificate on a server that demands a login or returns 401/Not Authorized.

                                                        • Re: nodes for URLs at same location
                                                          imcguinness

                                                          Yes, it's a bit odd.

                                                          I'll give your new version a go in a minute

                                                          I had modified Chad's version to have 14 sites (13 disabled by default) and also modified it to have the port number as a variable (default script arguments ${Node.Caption},443 with the port variable as $args[1] )

                                                          I was moving ahead with the one from Chad which seems to work and reports the correct number of days but i just tried to apply it to a new node.  This node is an actual server (not external load balanced touch point) and has one website on it on port 443.

                                                          I have tried leaving it as default arguments as well as putting the site name in place of the node caption and i keep getting an error:

                                                           

                                                           

                                                           

                                                           

                                                          Output: ==============================================

                                                          Exception calling "AuthenticateAsClient" with "1" argument(s): "A call to SSPI failed, see inner exception."

                                                          Message : Error occurred connecting to confluence, Code: Exception calling "AuthenticateAsClient" with "1" argument(s): "A call to SSPI failed, see inner exception.".exception.innerexception.message

                                                          Statistic : 0

                                                           

                                                          Don't think i have broken something.

                                                          The default SolarWinds ssl test works fine on this node so i know the cert works and that solarwinds can see it and test it.

                                                           

                                                          Tested on a different actual server which has multiple sites. i tested on one site on port 8050 and it worked fine.  tested another site on 443 and it also worked fine so the test seems to work fine.

                                                           

                                                          The actual site comes up fine in a browser and has a valid cert with a long life.

                                                          Also tested from the SolarWinds server and the site come up correctly with valid certs

                                                           

                                                          going to load the new version now.

                                                          Thanks

                                                          Ian

                                                            • Re: nodes for URLs at same location
                                                              imcguinness

                                                              Ok, so the new version works with the new (Win 2016, dedicated host to one site on 443) server.  WooHoo.

                                                              Now if i modify your script to allow specific ports and then duplicate to allow multiple sites per host it should be good.

                                                               

                                                              Step 1: I'll add a port argument (${Node.caption},443)

                                                              Step 2: I'll add a variable to line 2 of the script ($URLPort = $args[1])

                                                              Step 3: add the port variable to the Initialize web request section of the script ([Net.HttpWebRequest] $WebRequest = [Net.HttpWebRequest]::Create("https://$TestURL:$URLPort"))

                                                               

                                                              Bugger, that didn't work..

                                                              I'm sure i'm doing something basic wrong.

                                                              Reverted back to the original and tried just putting the port number in the arguments like a URL minus the https:// (website:8050).

                                                              Got a test successful but with an error inside

                                                               

                                                              Output: ==============================================

                                                              Statistic: -1

                                                              Message: Cannot convert value "19/05/2016 9:58:46 AM" to type "System.DateTime". Error: "String was not recognized as a valid DateTime.", Hostname: AuthorisationService.greater.com.au

                                                               

                                                              .That date listed is the start date of the cert and is in the Australian normal dd/mm/yyyy format.

                                                              The 2016 server i tested on before still works fine and doesn't list an error but i wonder if that's because it's date is 07/05/2023 and the test doesn't realize the format is dd/mm.

                                                              Just checked against the statistic and it thinks its the 5th of July, not the 7th of May.

                                                              How would i get the script to recognise the date it the correct (australian) format?

                                                                • Re: nodes for URLs at same location
                                                                  imcguinness

                                                                  Hi again.

                                                                  I've worked out how to fix the template

                                                                  I changed these two lines:

                                                                          Issued = [DateTime]$certinfo.GetEffectiveDateString();

                                                                          Expires = [DateTime]$certinfo.GetExpirationDateString();

                                                                  to be:

                                                                          Issued = get-date $certinfo.GetEffectiveDateString();

                                                                          Expires = get-date $certinfo.GetExpirationDateString();

                                                                  and it all works correctly now

                                                                  Would seem the date-time request formats to US format.

                                                                  Does this sound right to you?

                                                                  Ian

                                                                  2 of 2 people found this helpful
                                                                    • Re: nodes for URLs at same location
                                                                      m-milligan

                                                                      Sounds right to me! I didn't stop to think that date formats might be an issue.

                                                                       

                                                                      Edit: I've incorporated this change into my template and to the template I posted to the Content Exchange section.

                                                                        • Re: nodes for URLs at same location
                                                                          imcguinness

                                                                          Nice.

                                                                          Ok, I've found another issue.

                                                                          i have a site that is site.domain.com.au.  I want to put the full path in the test for consistency even tho it's a internal system and i could put just site

                                                                          In a browser the certificate comes up as valid.  It's issued to site and has a subject alternative name of site and site.domain.com.au

                                                                          I've assigned the template and put in the full site.domain.com.au as the argument but it gives an error

                                                                          Output: ==============================================

                                                                          Statistic: -1

                                                                          Message: Certificate subject mismatch. Requested certificate for site.domain.com.au, certificate on site is for site. Request completed with error: "The remote server returned an error: (401) Unauthorized.""., Hostname: site.domain.com.au

                                                                          I'm guessing that i either need to get the test to look at alternative name or remove that part of the test (not something i'd like to do).

                                                                          Any thoughts on how to get it to do that?

                                                                          Ian

                                                                           

                                                                          Edit: for completeness, I changed the argument to be just site and ran the test again so i can include the output

                                                                          Output: ==============================================

                                                                          Statistic: 3

                                                                          Message: Domain Name: site, Certificate Common Name: site, Certificate Authority: Internal-CA, DC, Certificate Expiration Date: 05/19/2018 09:58:46. Request completed with error: "The remote server returned an error: (401) Unauthorized.""

                                                                          Which is correct as it's the one that only specific users have access to.

                                                                          This issue also occurs with other internal sites that don't have authorization issues and as such get the same results minus the 401 section.