Monitoring certificates from Certificate Manager

[GuillaumeHullin]

Hi, I would like to add the monitoring of the certificates stored in Certificate Manager. Specifically I would like to have the following trigger in Zabbix: Info: "Certificate XXX has been renewed in the past 24h" Warning: "Certificate XXX is expiring less than 10 days" Average: "Certificate XXX is expiring less than 48 hours" High: "Certificate XXX is expired"

So far I made this code to pull all the data needed (via pfSense Diagnostics > Command Prompt):

// print_r($config[ca]);
// print_r($config[cert]);

$arr = array("cert", "ca");
foreach ($arr as $cert_type) {

    echo "============ $cert_type ============\n\n";

    foreach ($config[$cert_type] as $cert) {

        // print_r($cert);
        echo $cert[refid] . "\n"; // Certificate ID in pfSense
        echo $cert[descr] . "\n"; // Certificate Name in pfSense

        $certinfo = openssl_x509_parse(base64_decode($cert[crt]));
        // print_r($certinfo);
        echo $certinfo['validFrom_time_t'] . " >> " . date('Y-m-d H:i:s', $certinfo['validFrom_time_t']) . "\n"; // valid from Epoch
        echo $certinfo['validTo_time_t'] . " >> " . date('Y-m-d H:i:s', $certinfo['validTo_time_t']) . "\n"; // valid until Epoch
        echo "\n\n";

    }
}

I'm thinking to use refid as index in Zabbix discovery. The items validFrom and validTo would be the only data to be pulled as items...

I will attempt to make the code for pfsense_zbx.php soon... anything I'm missing in the logic before I start?

[rbicelli]

Hi, to me the logic is ok, but instead of monitoring every single certificate I would do an overall check: item: cert_status (0=OK,1=WARNING,2=AVERAGE,3=CRITICAL)

Triggers: Info: "One or More Certificates have been renewed in the past 24h" Warning: "One or More Certificates are expiring less than 10 days" Average: "One or More Certificates are expiring less than 48 hours" High: "One or More Certificates are expired"

In this way the number of monitored items will stay low.

From admin perspective I would like to be notified if certificate(s) on pfsense need attention, no matter which one: in any case the fix would require a manual intervention (renewing the cert via web GUI).

[GuillaumeHullin]

@rbicelli I agree, it makes more sense. I'll work on that and propose a pull request when it works.

[GuillaumeHullin]

@rbicelli ok I'm sorry in advance for my stupid question and it's kinda unrelated to this issue... but could you point me to some good ressources where I could learn how to properly do a pull request to your repo... the code for the issue is ready and it's working :) I did on my fork but now I want to pull my changes from my fork to your repo... but I don't want to pull all the changes I did (because some are very specific to my Zabbix server organization)

[rbicelli]

Hello, I think if you are submitting a PR from your fork you will also submit the modifications you did for your specific organization.

I think the right path for doing things right should:

1. Fork my repo
2. Create new branch for your org (e.g. my_org)
3. Create new branch from master (e.g. feature_cert_monitor)
4. Work and commit in the feature branch
5. Submit the PR from your feature branch to my repo
6. Merge the feature branch with my_org branch

Please note that altough I use git on daily basis I'm a basic user, so I may missing some points.

[GuillaumeHullin]

Hello, I think if you are submitting a PR from your fork you will also submit the modifications you did for your specific organization.

I think the right path for doing things right should:

1. Fork my repo
2. Create new branch for your org (e.g. my_org)
3. Create new branch from master (e.g. feature_cert_monitor)
4. Work and commit in the feature branch
5. Submit the PR from your feature branch to my repo
6. Merge the feature branch with my_org branch

Please note that altough I use git on daily basis I'm a basic user, so I may missing some points.

Thanks for the advices :) I just made a pull request now with all modifications that might interest your repo.