Pulling all certificates from internal CA
I am just asking the general question to see if anyone has accomplished this beforeI recreate the wheel for our environment. Let me start out with my scripting knowledge is very basic. So what i am trying to accomplish is to pull all certificates signed by our internal CA, that would be pull every day in case new ones are added. The certificates that are about to expire with 30 days, 2 weeks, 1 week would send out alerts to the corresponding escalation chain (once i find out who owns the certificate). Eventually we would have service now create a ticket for the expiring certificate and route to the correct team. The biggest issue is i have no idea what all certificates we have or where they live. I know you can use certutil to grab this data from our internal CA but just wanted to see if any one has already accomplished this or maybe someone figured out an easier way. I havent found anything in the community pointing towards what I'm trying to do, Sorry in advance if i completely missed it or did notunderstand because of my lack of knowledge.Solved342Views12likes1CommentSSL_Certificates DS v1.7 discovery issues
I pulled this version of the DS into my sandbox and tested on a few devices. The discovery task fails catastrophically. Can anyone else confirm? At any rate, be careful when LM changes something so fundamental as the discovery script is such a radical way. I’m in favor of the change (pulling props from the certificate instead of generic labels), but sometimes bad updates get published.68Views8likes0Commentsneed better SDT support for website checks
At this time, you can schedule SDT for website checks from one or more (or all) locations, but you cannot specify which test is in downtime (like you could for a resource datapoint). As a result, if I want to pause SSL expiration warnings, I must also pause ALL checks against the site, which far from ideal. Please fix SDT for website checks to allow selection of all alertable criteria.25Views12likes1CommentPulling SSL certs from a local Certificate store
I am wondering if any one has been able to pull SSL certificate info from a servers local computer certificate store. I can get on the server and run the below PowerShell command and it pulls all of the SSL certificates that i expect. When i create a custom datasource to run this same PowerShell command its only pulling the SSL certificates for my local session. Get-item Cert:\LocalMachine\my\* | select-object certificatedomains,issuer,status,notbefore,subject I can run this command without admin rights, i am suspecting that Logic Monitor is using WMI to run this and for some reason it isnt allow of some sort. I have searched all of the docs and cannot find anything on how to do this. Any help is greatly appreciated.Solved660Views1like4CommentsSimple Check for SSL Cert Expiration Monitoring
Monitoring SSL Certificate expiry days can be done in LogicMonitor by making use of datasourceSSLCerts- (SSL Certificate Expiration). On the side note, SSL Certificate is used for certifying a web server that does the secured socket layer data encryption between a web server and a client (web browser). SSL Certificate is issued by several organizations/companies so called Certificate Authority (CA) for the purpose of providingthelegitimacy of the web servers that encrypt the data for communication. The certificates issued will be digitally-signed by those CA and can be trusted by the client based on Root Certificates installed in the common browsers. It is, however, possible to create a self-signed certificate, which in this case is used for a testing purpose. Data will still be encrypted but the certificate will not be trusted by the client browsers. When a device with SSL Cert installed has been added to LogicMonitor, rightfully that datasource will be auto-applied, as with other normal datasources, and after some collection cycles, the data of the certificate remaining days to expire should appear. Under the circumstances whereby the monitoring does not work as per normal, common recommendation will beto go through the following simple procedures: 1) Device check, whether or not the SSL Certification has been configured properly 2) Accessibility from collector 3) Data collection test from collector 1) For a start is to check if the SSL certificate configuration is properly done in the web server - Each web server may have a different way of setting up the certificate, the following is an example forNGINX & IIS: ssl_certificate "/etc/cert/nginx/private/[cert name].crt"; ssl_certificate_key "/etc/cert/nginx/private/[cert name].key"; - An open port checkwould be goodas well with below output from the check (note: port is bound to any interfaces or possibly only one interface on the web server): Linux: tcp000.0.0.0:4430.0.0.0:* LISTEN Windows: TCP0.0.0.0:4430.0.0.0:0LISTENING 2) The next check will be to access the web server from the collector (obviously the collector must be able to reach to the device where the web server is installed): Note: Collector debug window is needed for this check, please refer to this article:https://www.logicmonitor.com/support/settings/collectors/using-the-collector-debug-facility/ - the main command is simply: !http (help !http will give info for the command itself) $ !http https://10.13.13.9 HTTP response received at at: 2017-03-26 16:28:55.581. Time elapsed: 20ms HTTP/1.1 200 OK Server: nginx/1.10.2 Date: Sun, 26 Mar 2017 08:28:55 GMT Content-Type: text/html Content-Length: 5948 Last-Modified: Wed, 04 Jan 2017 08:44:56 GMT Connection: keep-alive ETag: "586cb608-173c" Accept-Ranges: bytes It showsthat the web server is accessible at port 443 (HTTPS) with response code 200 as follows: 3) The last one will be to check if data can be collected from the collector which is the remaining days to the expiry of the certificate. Collector debug window is still needed for this check. For Linux collector: $ !java -cp ../lib/certexpire.jar CertificateExpire /usr/local/logicmonitor/agent10.13.13.9 10.13.13.9 443true Enable debug SSL cert Get the support protocol, protocols=SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2, Get the enabled protocol, protocols=TLSv1,TLSv1.1,TLSv1.2, Try to send request to server. Request send ... TrustManager: checkServerTrusted got1certs. Auth type: ECDHE_RSA Exception caught - java.security.cert.CertificateException: Certificate received. Certification1[Type: X.509] Issue Date: Mon Jan0217:51:51SGT2017, Expiration Date: Sat Jul0117:51:51SGT2017 Got issue date - Mon Jan0217:51:51SGT2017, expiration date - Sat Jul0117:51:51SGT2017 97 For Windows collector: $ !java -cp ../lib/certexpire.jar CertificateExpire "C:\Program Files (x86)\LogicMonitor\Agent" fspk.lmsupport.com fspk.lmsupport.com 443 true Enable debug SSL cert Get the support protocol, protocols=SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2, Get the enabled protocol, protocols=TLSv1,TLSv1.1,TLSv1.2, Try to send request to server. Request send ... TrustManager: checkServerTrusted got 1 certs. Auth type: DHE_RSA Exception caught - java.security.cert.CertificateException: Certificate received. Certification 1 [Type: X.509] Issue Date: Thu Feb 02 03:16:57 PST 2017, Expiration Date: Sat Feb 02 03:16:57 PST 2019 Got issue date - Thu Feb 02 03:16:57 PST 2017, expiration date - Sat Feb 02 03:16:57 PST 2019 660 - The basic command is: !java and complete format would be: !java -cp ../lib/certexpire.jar CertificateExpire [collector installation folder][device name/IP address] [device name/IP address] 443 true Note: * certexpire.jar is in the library of the collector agent * device name/IP address is the web server that is registered/added into the LogicMonitor portal * collector folder is: either "C:\Program Files (x86)\LogicMonitor\Agent" or /usr/local/logicmonitor/agent The data collected can be verified on the device where the SSL Certificate is installed by accessing the web server in the browser and view the detail of the certificate loaded in the browser as follows: Having gone through all the above-mentioned checks and the results are good, it will produce this monitoring in LogicMonitor as follows:1.2KViews3likes12CommentsCertificate Expiration Notification
Can LogicMonitor notifiy us of certificates on a server that are about to expire? We have several management webservers. You know the type, internal, only used for IT or small department. It may be to manage "X" tool. They all have certificates. I don't care enough about the web server to set up web monitoring but I do monitor the server itself as it is usually a Windows server with several applications on it. Is there a way for logicmonitor to monitor if the certificate is going to expire on the server?10Views0likes2CommentsSSL Cert expiration alerting
Some other monitoring tools provide SSL certificate monitoring to alert for expiring certs. Really wish LogicMonitor had this. +1 if I could use a collector to monitor for private SSL certs that aren't accessible publicly (like for RDS and the like).57Views2likes12Comments