As probably most of you know, the Nagios plugin check_http can also be used to verify the validity (from the expiration date point of view) of a ssl certificate.
However if you use SNI (multiple SSL certificates on the same IP address), you have to keep in mind to use the --sni switch. Otherwise a wrong ssl certitificate could be shown:
./check_http -H test2.example.com -S -C 30,14
OK - Certificate 'test1.example.com' will expire on 12/23/2014 13:40.
Note the wrong certificate common name.
For SNI enabled web servers, the switch --sni is a must:
./check_http -H test2.example.com -S --sni -C 30,14
OK - Certificate 'test2.example.com' will expire on 12/23/2014 13:42.
ck from Switzerland wrote on Oct 7th, 2014:
Kevin, your whole SNI setup wouldn't work correctly if you cannot send the Server Name... ? That's how the web server knows which certificate to deliver to the browser. Or what do you mean with "does not allow me to send the ServerName"?
Kevin from wrote on Oct 7th, 2014:
I have a single nagios server monitoring multiple load balanced apache servers. The same 3 SSL certs are on each server and only distinguished using SNI. I have to identify the host by it's IP address because of this. This --sni parameter doesn't help me in this situation as it does not allow me to send the ServerName.
Personal Internet VMware PHP Linux Shell Bluecoat Proxy Windows Hardware Virtualization Nagios MySQL DB Monitoring Mail Android Network Wyse Hacks Tomcat Postgres Apple Mac Backup BSD ZFS Solaris SmartOS Unix Multimedia Perl Database MongoDB CMS OTRS FreeBSD Wordpress LXC Nginx Proxmox DNS Graphics GlusterFS Security Chef HAProxy Icinga Ansible HTML MariaDB Containers Rancher Docker AWS ELK Kibana Logstash Filebeat Varnish PGSQL PostgreSQL ElasticSearch CouchDB Bash Macintosh Container Minio Grafana InfluxDB Databases NFS OSSEC SystemD Java Zoneminder Surveillance Elasticsearch SSL TLS Icingaweb2 Cloud Wireless Kubernetes Ubuntu