Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add riemann-tls-check to monitor TLS certificates #253

Merged
merged 1 commit into from
Jul 7, 2024
Merged

Add riemann-tls-check to monitor TLS certificates #253

merged 1 commit into from
Jul 7, 2024

Conversation

smortex
Copy link
Member

@smortex smortex commented Nov 11, 2022

Add a riemann-tls-check that accept a list of URI of resources to check TLS certificates.

For each URI, resolve the IP addresses that provide the service, and for each IP address perform a TLS handshake and generate events from the certificate:

  1. availability: 🆗/💥 global status of all the following metrics + reachability;
  2. not after: 🆗/💥 + 📉 number of seconds until the certificate is expired;
  3. not before: 🆗/💥 + 📈 number of seconds since the certificate is valid;
  4. identity: 🆗/💥 certificate subject match the URI hostname;
  5. trust: 🆗/💥 validity of the certificate trust chain;
  6. OCSP satus: 🆗/💥 validity of the OCSP status if applicable.

(icons legend: 🆗/💥 => the metric report a status (ok, warning, critical); 📉 + 📈 => the metric report a metric)

A STARTTLS handshake is automatically done for imap://, ldap:// and smtp:// URI.

A protocol specific handshake is done for mysql:// and postgres:// URI.

Limitations

The required API in OpenSSL to check for OCSP Stapling is not currently part of the openssl gem, so this cannot be tested at the moment: ruby/openssl#401

@smortex smortex added the enhancement New feature or request label Nov 11, 2022
@smortex smortex force-pushed the tls branch 4 times, most recently from 2fc9da2 to 7898c49 Compare December 2, 2022 01:22
@smortex smortex changed the title Add riemann-tls-check to monitor TLS resources Add riemann-tls-check to monitor TLS certificates Dec 2, 2022
@smortex smortex force-pushed the tls branch 8 times, most recently from 8d55c7f to c9191bb Compare February 16, 2023 01:35
@smortex smortex mentioned this pull request May 22, 2023
@smortex smortex force-pushed the tls branch 3 times, most recently from fa8f899 to 747df08 Compare May 31, 2024 02:18
@smortex smortex force-pushed the tls branch 2 times, most recently from 06ed682 to 2225906 Compare June 29, 2024 13:03
@smortex smortex marked this pull request as ready for review June 29, 2024 13:04
@smortex
Copy link
Member Author

smortex commented Jun 29, 2024

I have been using this for some time at $WORK. I think it is ready for production!

@smortex smortex force-pushed the tls branch 4 times, most recently from 2ac7246 to 08e8fa9 Compare July 2, 2024 18:49
Add a riemann-tls-check that accept a list of URI of resources to check
TLS certificates. For each URI, resolve the IP addresses that provide
the service, and for each IP address generate 6 events for:

1. availability: state (reachability + status of all the following
   metrics);
2. not after: state + metric (number of seconds until the certificate is
   expired);
3. not before: state + metric (number of seconds since the certificate
   is valid);
4. identity: state (certificate subject match the URI hostname);
5. trust: state (validity of the certificate trust chain);
6. OCSP satus: state (validity of the OCSP status if applicable).

A STARTTLS handshake is automatically done for imap://, ldap:// and
smtp://; a protocol specific handshake is done for mysql:// and
postgres:// URI.
@smortex
Copy link
Member Author

smortex commented Jul 7, 2024

@jamtur01 may I have a review please? I would like to do a new release soon with all the recent changes 😉.

Copy link
Member

@jamtur01 jamtur01 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

@jamtur01 jamtur01 merged commit 596b74b into main Jul 7, 2024
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants