4 minutes ago, Jessie Bryan said:
If you're using NET-SNMPd you can use IP-MIB::ipAdEntAddr and IP-MIB::ipConnState to obtain IPs and Port numbers that are in LISTEN state. The rest is pretty straight forward.
That could help in some cases, but not in general. With modern servers, SNI can allow many certificates on one IP. I don't know of any remote check that provides that information in general. SNMP is not necessarily available on all monitored platforms, but if it provided that detail, I would use it of course. I see no solution offhand other than to manually define instances as described. My current work in progress output is below -- I still need to figure out how to tell the constructor to specify the FQDN and IP separately.
[mnagel@colby ~]$ groovy getCert.groovy www.google.com 443
Birth: Wed Apr 05 10:04:11 PDT 2017
Death: Wed Jun 28 09:56:00 PDT 2017
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US
Remaining Days: 69
Lifetime Consumed: 18.1%
The last value is the one we will care about -- that will allow graphs to show the top 10 or top 25 soon-to-expire certificates again, which is impossible now without negating the remaining days value and having to explain why that looks so weird :).
Thanks,
Mark