search

slauger / check_netscaler

A Nagios Plugin written in Perl for the Citrix ADC (formerly Citrix NetScaler). It uses the NetScaler NITRO API.
35 stars 18 forks source link

Expanded and extended options for sslcert #52

Closed riahc3 closed 4 years ago

riahc3 commented 5 years ago

Hello

Wanted to add some tips on checking sslcert

Those are my thoughts.

Thanks

slauger commented 5 years ago

Hi riahc3,

thank you very much for your feedback.

Instead of rather naming the certificate , I think the check should go against a IP and a port. Directing towards something that might change such as a certificate key-pair name or a certificate thumbprint is not a good practice while aiming directly at a IP (or FQDN) and a port is a better practice.

The orginal idea of the sslcert subcommand was to create a check command, which allows to check all installed ssl certificates with a single command. This allows monitoring of all ssl certificates on the ADC, w/o the need to update the monitoring when a new certificate is deployed. This is especially useful in "classic enterprise environments", where the monitoring people and the ADC people are working in different departments.

The command fully relies on the information from the api response. There are a bunch of other (and better) monitoring plugins wich do SSL testing via TCP/HTTP (e.g. check_http). I don't want to reinvent the wheel here and keep focusued on the NITRO api.

More detailed output. Even if returning a OK, I think the days left should still be shown. Hell, Id go as far as saying showing the days left AND the date it expires. This allows a quick view on seeing if it expires on a weekday or weekend.

That shouldn't bee a great problem. Are you able to provide a patch for this?

Additionally checks such as if the self sign cert (if it is a self sign) has a valid CA on the Netscaler

Why do we need a the CA of a certificate on the NetScaler? Do you mean a validation of the chain? The NetScaler by default trust no one.

Cheers, Simon