What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Reverse proxy Certificate Checking

Votes:

0

Hi,

We've moved to a new method of using SSL, where we use a wildcard cert on a reverse proxy.

Where we had a URL which was basically the hostname, e.g. myjirainstance.mycompany.com to ip 192.168.0.50, We now use that hostname for SSH, and ping related sensors, however the URL for the certificate is now on jira.mycompany.com on ip 192.168.0.30 (reverse proxy) which SSL redirects to myjirainstance.mycompany.com.

So I would still like to keep the certificate monitored, however I am not able to change the URL source for the following sensors:

SSL Certificate Sensor, SSL Security Check

Running PRTG Ver 18.2.41.1652

Best Regards,

http-ssl-certificate-expiry prtg ssl ssl-certificate

Created on Dec 5, 2018 11:00:31 AM



Best Answer

Accepted Answer

Votes:

4

Hi Florian,

Thanks for your reply. I'm actually running a Linux Debian environment, so my use case is a little different, however I've written an "SSH Script Advanced" That will do the job. Hopefully this will help anyone looking for a solution too.

The output should be:

  • Security Rating
  • Certificate Expiry in Days
  • Each protocol set in the variable.

Alternatively to the URL, unhash #URL=($@) and this will let you set the parameters in PRTG.

#!/bin/bash
# Script for Monitoring SSL Certificates using PRTG openssl

# Define URL's for SSL Testing. Array to keep it neat in the output stage.
URL=(www.example.com www.example2.com)
#URL=($@)

# Define TLS Level
Protocol="ssl3 tls1 tls1_1 tls1_2"

# Define URL Port
URLPort=443

# Set Warning & Error for Days before Certificate Expiry
LimitMinDaysWarning=30
LimitMinDaysError=5

# Set Warning & Error for Certificate Strength
RatingWarning="2"
RatingError="1"

# Set Warning & Error for Certificate Availability
AvailWarning="1"
AvailError="2"

# Open PRTG XML Tag
echo "<PRTG>"

# Create Associative Array for output order
declare -A OutputArray=()

# Function for PRTG Expiry result
XMLExpiryOutput() {
cat << XML
<result>
<channel>${URL[$key]} Days to Cert Expiry</channel>
<value>${DaysToExpiry}</value>
<CustomUnit>days</CustomUnit>
<LimitMinWarning>$LimitMinDaysWarning</LimitMinWarning>
<LimitMinError>$LimitMinDaysError</LimitMinError>
</result>
XML
}

# Function for PRTG Security Rating Result
XMLSecurityRating() {
cat << XML
<result>
<channel>${URL[$key]} Security Rating</channel>
<value>${CryptValue}</value>
<ValueLookup>prtg.standardlookups.sslsensor.security</ValueLookup>
<Unit>Custom</Unit>
<LimitMinWarning>${RatingWarning}</LimitMinWarning>
<LimitMinError>${RatingError}</LimitMinError>
</result>
XML
}

XMLProtocolPermissionTLS() {
cat << XML
<result>
<channel>${URL[$key]} ${crypt} ${CryptStrength}</channel>
<value>${Permission}</value>
<ValueLookup>prtg.standardlookups.sslsensor.tls</ValueLookup>
<Unit>Custom</Unit>
<LimitMinWarning>${AvailWarning}</LimitMinWarning>
<LimitMinError>${AvailError}</LimitMinError>
</result>
XML
}

XMLOutput(){

### Finalise Output ###
# Change Order here to adapt output and primary Channel
for item in SecurityRating CertificateExpiry $Protocol
do
	IFS=''
	echo ${OutputArray[$item$key]}
	echo $item $key
done
}

# Test each URL
for key in ${!URL[@]}
do
	# Test Protocol for each URL
	for crypt in ${Protocol}
	do
		### SSL EXPIRY ###
		# Get Expiry Date of Protocol in Seconds
		ExpiryDate=$(date +%s -d "$(echo q | openssl s_client -connect ${URL[$key]}:${URLPort} -${crypt} 2>/dev/null | openssl x509 -noout -enddate | cut -d'=' -f2)")
		# Get Current Date in Seconds
		NowDate=$(date +%s)

		# Calculate Days to Expiry in Seconds, then convert back to days
		SecondsToExpiry=$((${ExpiryDate} - ${NowDate}))
		DaysToExpiry=$((${SecondsToExpiry} / 86400))
		#################

		### SSL Permission ###
		# Test Connection with Protocol
		if `echo q | openssl s_client -connect ${URL[$key]}:${URLPort} -${crypt} 2>/dev/null | grep -q "Server certificate"`
		then
			#Permission=Accepted
			Permission=1
		else
			#Permission=Denied
			Permission=0
			# Continue to next protocol if invalid Protocol
			#continue
		fi

		###########################

		### Set Protocol Strength ###
		case $crypt in
			ssl3) CryptValue='1'; CryptStrength='(Weak)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
				;;
			tls1) CryptValue='2'; CryptStrength='(Weak)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
			        ;;
			tls1_1) CryptValue='3'; CryptStrength='(Strong)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
			        ;;
			tls1_2) CryptValue='3'; CryptStrength='(Perfect)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
			        ;;
		esac
		#############################

		### SSL SECURITY RATING ###
		# Return First Protocol that matches Permission=1 and its CryptValue.
		# Super Important to keep the Certs in Strength order
		# Adding here so that Security Rating becomes the Primary Channel
		if [[ -z $SecurityRating && $Permission -eq 1 ]];
		then
			OutputArray[SecurityRating$key]+="$(XMLSecurityRating)"
		        SecurityRating=SET
		fi
		###########################
		
	done

# Output the expiry results in PRTG Friendly Format
OutputArray[CertificateExpiry$key]+="$(XMLExpiryOutput)"

# Output to Results for URL
XMLOutput

# Reset Security Rating to Process Another URL
SecurityRating=
#Permission=
#CryptValue=

# Reset IFS to Space
IFS=' '

done

# Close PRTG XML Tag
echo "</PRTG>"
#######################

Created on Dec 11, 2018 11:57:37 AM



2 Replies

Votes:

1

Hi itChi,

Not sure if you can change them that easy - but not to long ago we had a discussion here about monitoring multiple certificates - and I thought this actually might be interesting for you.

https://www.it-admins.com/monitor-multiple-website-certificates-with-a-single-prtg-sensor/ https://kb.paessler.com/en/topic/82416-trying-to-get-multi-result-powershell-as-channels-with-limits

The two links above lead you to the same solution - it's an EXE/Advanced Sensor script that will monitor multiple certificates (well - URLs) with a single sensor - while you inject the URLs as a parameter that later will be changeable.

Hope this helps you at least a bit...

Regards

Florian Rossmark

www.it-admins.com

Created on Dec 5, 2018 2:39:26 PM



Accepted Answer

Votes:

4

Hi Florian,

Thanks for your reply. I'm actually running a Linux Debian environment, so my use case is a little different, however I've written an "SSH Script Advanced" That will do the job. Hopefully this will help anyone looking for a solution too.

The output should be:

  • Security Rating
  • Certificate Expiry in Days
  • Each protocol set in the variable.

Alternatively to the URL, unhash #URL=($@) and this will let you set the parameters in PRTG.

#!/bin/bash
# Script for Monitoring SSL Certificates using PRTG openssl

# Define URL's for SSL Testing. Array to keep it neat in the output stage.
URL=(www.example.com www.example2.com)
#URL=($@)

# Define TLS Level
Protocol="ssl3 tls1 tls1_1 tls1_2"

# Define URL Port
URLPort=443

# Set Warning & Error for Days before Certificate Expiry
LimitMinDaysWarning=30
LimitMinDaysError=5

# Set Warning & Error for Certificate Strength
RatingWarning="2"
RatingError="1"

# Set Warning & Error for Certificate Availability
AvailWarning="1"
AvailError="2"

# Open PRTG XML Tag
echo "<PRTG>"

# Create Associative Array for output order
declare -A OutputArray=()

# Function for PRTG Expiry result
XMLExpiryOutput() {
cat << XML
<result>
<channel>${URL[$key]} Days to Cert Expiry</channel>
<value>${DaysToExpiry}</value>
<CustomUnit>days</CustomUnit>
<LimitMinWarning>$LimitMinDaysWarning</LimitMinWarning>
<LimitMinError>$LimitMinDaysError</LimitMinError>
</result>
XML
}

# Function for PRTG Security Rating Result
XMLSecurityRating() {
cat << XML
<result>
<channel>${URL[$key]} Security Rating</channel>
<value>${CryptValue}</value>
<ValueLookup>prtg.standardlookups.sslsensor.security</ValueLookup>
<Unit>Custom</Unit>
<LimitMinWarning>${RatingWarning}</LimitMinWarning>
<LimitMinError>${RatingError}</LimitMinError>
</result>
XML
}

XMLProtocolPermissionTLS() {
cat << XML
<result>
<channel>${URL[$key]} ${crypt} ${CryptStrength}</channel>
<value>${Permission}</value>
<ValueLookup>prtg.standardlookups.sslsensor.tls</ValueLookup>
<Unit>Custom</Unit>
<LimitMinWarning>${AvailWarning}</LimitMinWarning>
<LimitMinError>${AvailError}</LimitMinError>
</result>
XML
}

XMLOutput(){

### Finalise Output ###
# Change Order here to adapt output and primary Channel
for item in SecurityRating CertificateExpiry $Protocol
do
	IFS=''
	echo ${OutputArray[$item$key]}
	echo $item $key
done
}

# Test each URL
for key in ${!URL[@]}
do
	# Test Protocol for each URL
	for crypt in ${Protocol}
	do
		### SSL EXPIRY ###
		# Get Expiry Date of Protocol in Seconds
		ExpiryDate=$(date +%s -d "$(echo q | openssl s_client -connect ${URL[$key]}:${URLPort} -${crypt} 2>/dev/null | openssl x509 -noout -enddate | cut -d'=' -f2)")
		# Get Current Date in Seconds
		NowDate=$(date +%s)

		# Calculate Days to Expiry in Seconds, then convert back to days
		SecondsToExpiry=$((${ExpiryDate} - ${NowDate}))
		DaysToExpiry=$((${SecondsToExpiry} / 86400))
		#################

		### SSL Permission ###
		# Test Connection with Protocol
		if `echo q | openssl s_client -connect ${URL[$key]}:${URLPort} -${crypt} 2>/dev/null | grep -q "Server certificate"`
		then
			#Permission=Accepted
			Permission=1
		else
			#Permission=Denied
			Permission=0
			# Continue to next protocol if invalid Protocol
			#continue
		fi

		###########################

		### Set Protocol Strength ###
		case $crypt in
			ssl3) CryptValue='1'; CryptStrength='(Weak)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
				;;
			tls1) CryptValue='2'; CryptStrength='(Weak)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
			        ;;
			tls1_1) CryptValue='3'; CryptStrength='(Strong)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
			        ;;
			tls1_2) CryptValue='3'; CryptStrength='(Perfect)'; OutputArray[$crypt$key]+="$(XMLProtocolPermissionTLS)"
			        ;;
		esac
		#############################

		### SSL SECURITY RATING ###
		# Return First Protocol that matches Permission=1 and its CryptValue.
		# Super Important to keep the Certs in Strength order
		# Adding here so that Security Rating becomes the Primary Channel
		if [[ -z $SecurityRating && $Permission -eq 1 ]];
		then
			OutputArray[SecurityRating$key]+="$(XMLSecurityRating)"
		        SecurityRating=SET
		fi
		###########################
		
	done

# Output the expiry results in PRTG Friendly Format
OutputArray[CertificateExpiry$key]+="$(XMLExpiryOutput)"

# Output to Results for URL
XMLOutput

# Reset Security Rating to Process Another URL
SecurityRating=
#Permission=
#CryptValue=

# Reset IFS to Space
IFS=' '

done

# Close PRTG XML Tag
echo "</PRTG>"
#######################

Created on Dec 11, 2018 11:57:37 AM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.