slauger/check_netscaler

Expanded and extended options for sslcert

riahc3 opened this issue · 1 comments

riahc3 commented

Hello

Wanted to add some tips on checking sslcert

  • Instead of rather naming the certificate , I think the check should go against a IP and a port. Directing towards something that might change such as a certificate key-pair name or a certificate thumbprint is not a good practice while aiming directly at a IP (or FQDN) and a port is a better practice.

  • More detailed output. Even if returning a OK, I think the days left should still be shown. Hell, Id go as far as saying showing the days left AND the date it expires. This allows a quick view on seeing if it expires on a weekday or weekend.

  • Additionally checks such as if the self sign cert (if it is a self sign) has a valid CA on the Netscaler

Those are my thoughts.

Thanks

slauger commented

Hi riahc3,

thank you very much for your feedback.

Instead of rather naming the certificate , I think the check should go against a IP and a port. Directing towards
something that might change such as a certificate key-pair name or a certificate thumbprint is not a good practice
while aiming directly at a IP (or FQDN) and a port is a better practice.

The orginal idea of the sslcert subcommand was to create a check command, which allows to check all installed ssl certificates with a single command. This allows monitoring of all ssl certificates on the ADC, w/o the need to update the monitoring when a new certificate is deployed. This is especially useful in "classic enterprise environments", where the monitoring people and the ADC people are working in different departments.

The command fully relies on the information from the api response. There are a bunch of other (and better) monitoring plugins wich do SSL testing via TCP/HTTP (e.g. check_http). I don't want to reinvent the wheel here and keep focusued on the NITRO api.

More detailed output. Even if returning a OK, I think the days left should still be shown. Hell, Id go as far as saying
showing the days left AND the date it expires. This allows a quick view on seeing if it expires on a weekday or weekend.

That shouldn't bee a great problem. Are you able to provide a patch for this?

Additionally checks such as if the self sign cert (if it is a self sign) has a valid CA on the Netscaler

Why do we need a the CA of a certificate on the NetScaler? Do you mean a validation of the chain? The NetScaler by default trust no one.

Cheers, Simon