Forum Discussion

Lewis_Beard's avatar
Lewis_Beard
Icon for Professor rankProfessor
28 days ago
Solved

Multiple 443 SSL Certificates?

I was asked by someone why one of their servers is showing the normal HTTPS cert info, but some other certs (two Intune Connector certs which are also associated with port 443) are not showing up in LogicMonitor.

I dug into the code for SSL_Certificates and I can see from the code in Active Discovery that it can see multiple certs, or it looks at all peerCertificates and generates an instance from the soonest to expire peerCertificate on that port, but doesnt generate an instance for all of them. If I'm interpreting it correctly.

I do have the latest version of the LogicModule so I'm guessing we are out of luck. I might write a custom one that shows each cert that comes back from session.getPeerCertificates() as a separate instance. I mean, assuming the contents of session.getPeerCertificates() is what the code implies. I will check shortly.

But in the meantime, I was wondering if there happened to be any datasources or logicmodules for Intune Connector certs or other information? Or am I completely off-base here?

Thanks!

  • I asked LM support about it and they say that SNI certs arent supported, so I guess thats it then. I'm going to do some research to see if SNI certs are visible through a WMI query or anything. I saw there was an API and some powershell code supplied by Microsoft or someone but it depended on some Azure AD libraries to be installed, and I guess that would make it not work with LM.

6 Replies

  • The 443 port should only have one SSL cert (or cert-chain) directly used on it. SNI, which allows multiple certs per port, wouldn't apply to SSL_Certificates check since it doesn't provide a hostname in the request.

    Can you provide more details about these certs? Can you see these other certs if you use a browser?

    • Lewis_Beard's avatar
      Lewis_Beard
      Icon for Professor rankProfessor

      I asked LM support about it and they say that SNI certs arent supported, so I guess thats it then. I'm going to do some research to see if SNI certs are visible through a WMI query or anything. I saw there was an API and some powershell code supplied by Microsoft or someone but it depended on some Azure AD libraries to be installed, and I guess that would make it not work with LM.

  • Well for SNI to work, from my understanding, you would need to target a specific website not just the 443 port. Just like if multiple websites are hosted on a single IP, you can't just visit one of the site just via it's IP address.  So I wonder if it may work if you use LM's Internal Website checks instead?

    I haven't played with Intune connectors (but have used Intune itself), but surprised it even hosts anything on port 443 at all since I thought it was used just to talk with AD.

    • Lewis_Beard's avatar
      Lewis_Beard
      Icon for Professor rankProfessor

      I'll admit I have no idea. I've not done anything with it. But when I researched Intune it mentioned port 443, and when I asked the team using them about ports (because I saw that LM's datasource just checks common ports) they also told me it was 443.

      But at this point I think we will just move on, I'll make a feature request of LM for something to monitor those, and then on my own if there is any quick and easy way to get to some of that info in a way I can automate, maybe I'll be able to build my own.

      Thanks!

  • I realize now that the results of getPeerCertificates isnt the stuff related to InTune Connectors now that I've printed out the contents.

    But the overall question still stands .... how would one get to the certs for something like that? They are supposedly associated with port 443.

     

    • Andy_C's avatar
      Andy_C
      Icon for Neophyte rankNeophyte

      You can, and i have, spun up several webservers on high ports using multiple certs on the same box. They don't do anything other than present the cert and you monitor that.