X509 Certificate

The X509 Certificate Monitoring Connector is used to monitor how much time is left before X509 certificates expire.

Pack assets

Templates

The Monitoring Connector X509 Certificate brings a host template:

• App-Protocol-X509-custom

The connector brings the following service templates (sorted by the host template they are attached to):

App-Protocol-X509-custom

Service Alias	Service Template	Service Description
X509-Certificate	App-Protocol-X509-Certificate-custom	Check expiration date of a X509 certificate

The services listed above are created automatically when the App-Protocol-X509-custom host template is used.

Collected metrics & status

Here is the list of services for this connector, detailing all metrics linked to each service.

X509-Certificate

Metric name	Unit
status	N/A

Prerequisites

The monitored resource must support HTTPS and present a X509 certificate.

Installing the monitoring connector

Pack

1. If the platform uses an online license, you can skip the package installation instruction below as it is not required to have the connector displayed within the Configuration > Monitoring Connectors Manager menu. If the platform uses an offline license, install the package on the central server with the command corresponding to the operating system's package manager:

Alma / RHEL / Oracle Linux 8

dnf install centreon-pack-applications-protocol-x509

Alma / RHEL / Oracle Linux 9

dnf install centreon-pack-applications-protocol-x509

Debian 11

apt install centreon-pack-applications-protocol-x509

CentOS 7

yum install centreon-pack-applications-protocol-x509

2. Whatever the license type (online or offline), install the X509 Certificat connector through the Configuration > Monitoring Connectors Manager menu.

Plugin

Since Centreon 22.04, you can benefit from the 'Automatic plugin installation' feature. When this feature is enabled, you can skip the installation part below.

You still have to manually install the plugin on the poller(s) when:

• Automatic plugin installation is turned off
• You want to run a discovery job from a poller that doesn't monitor any resource of this kind yet

More information in the Installing the plugin section.

Use the commands below according to your operating system's package manager:

Alma / RHEL / Oracle Linux 8

dnf install centreon-plugin-Applications-Protocol-X509

Alma / RHEL / Oracle Linux 9

dnf install centreon-plugin-Applications-Protocol-X509

Debian 11

apt install centreon-plugin-applications-protocol-x509

CentOS 7

yum install centreon-plugin-Applications-Protocol-X509

Using the monitoring connector

Using a host template provided by the connector

1. Log into Centreon and add a new host through Configuration > Hosts.

2. Fill the Name, Alias & IP Address/DNS fields according to your ressource settings.

3. Apply the App-Protocol-X509-custom template to the host. A list of macros appears. Macros allow you to define how the connector will connect to the resource, and to customize the connector's behavior.

4. Deploy the configuration. The host appears in the list of hosts, and on the Resources Status page. The command that is sent by the connector is displayed in the details panel of the host: it shows the values of the macros.

Using a service template provided by the connector

1. If you have used a host template and checked Create Services linked to the Template too, the services linked to the template have been created automatically, using the corresponding service templates. Otherwise, create manually the services you want and apply a service template to them.
2. Fill in the macros you want (e.g. to change the thresholds for the alerts). Some macros are mandatory (see the table below).

X509-Certificate

Macro	Description	Default value	Mandatory
CUSTOMMODE		tcp
PORT	Port used by host	443	X
WARNINGSTATUS	Define the conditions to match for the status to be WARNING. (Default: '%{expiration} \< 60'). Can use special variables like: %{expiration}, %{subject}, %{issuer}, %{alt_subjects}	%{expiration} \< 60
CRITICALSTATUS	Define the conditions to match for the status to be CRITICAL. (Default: '%{expiration} \< 30'). Can use special variables like: %{expiration}, %{subject}, %{issuer}, %{alt_subjects}. Examples : Raise a critical alarm if certificate expires in less than 30 days or does not cover alternative name 'my.app.com' --critical-status='%{expiration} \< 30 || %{alt_subjects} !~ /my.app.com/'	%{expiration} \< 30
EXTRAOPTIONS	Any extra option you may want to add to the command (E.g. a --verbose flag). All options are listed here

3. Deploy the configuration. The service appears in the list of services, and on page Resources Status. The command that is sent by the connector is displayed in the details panel of the service: it shows the values of the macros.

How to check in the CLI that the configuration is OK and what are the main options for?

Once the plugin is installed, log into your Centreon poller's CLI using the centreon-engine user account (su - centreon-engine). Test that the connector is able to monitor a resource using a command like this one (replace the sample values by yours):

/usr/lib/centreon/plugins/centreon_protocol_x509.pl \
    --plugin=apps::protocols::x509::plugin \
    --mode=certificate \
    --custommode='tcp' \
    --hostname='www.google.com' \
    --port=443 \
    --warning-status='%{expiration} < 60' \
    --critical-status='%{expiration} < 30'

The expected command output is shown below:

OK: Certificate for 'www.google.com' expires in '60' days [2023-10-30T12:22:43Z] - Issuer: '/C=US/O=Google Trust Services LLC/CN=GTS CA 1C3' 

Troubleshooting

Please find the troubleshooting documentation for Centreon Plugins typical issues.

Available modes

In most cases, a mode corresponds to a service template. The mode appears in the execution command for the connector. In the Centreon interface, you don't need to specify a mode explicitly: its use is implied when you apply a service template. However, you will need to specify the correct mode for the template if you want to test the execution command for the connector in your terminal.

All available modes can be displayed by adding the --list-mode parameter to the command:

/usr/lib/centreon/plugins/centreon_protocol_x509.pl \
    --plugin=apps::protocols::x509::plugin \
    --list-mode

The plugin brings the following modes:

Mode	Linked service template
certificate [code]	App-Protocol-X509-Certificate-custom

Available custom modes

This connector offers several ways to connect to the resource (CLI, library, etc.), called custom modes. All available custom modes can be displayed by adding the --list-custommode parameter to the command:

/usr/lib/centreon/plugins/centreon_protocol_x509.pl \
    --plugin=apps::protocols::x509::plugin \
    --list-custommode

The plugin brings the following custom modes:

• file
• https
• opensslcli
• tcp

Available options

Custom modes options

All custom modes specific options are listed here:

file

Option	Description
--certificate	Certificate file (PEM or DER).

https

Option	Description
--hostname	IP Addr/FQDN of the webserver host
--port	Port used by Webserver (Default: 443)
--method	Specify http method used (Default: 'GET')
--urlpath	Set path to get webpage (Default: '/')
--timeout	Threshold for HTTP timeout (Default: 5)
--header	Set HTTP headers (Multiple option)
--no-follow	Do not follow http redirect
--http-peer-addr	Set the address you want to connect to. Useful if hostname is only a vhost, to avoid IP resolution.
--proxyurl	Proxy URL. Eg: http://my.proxy:3128
--proxypac	Proxy pac file (can be a URL or a local file).
--insecure	Accept insecure SSL connections.
--http-backend	Perl library to use for HTTP transactions. Possible values are: lwp (default) and curl.
--ssl-opt	Set SSL Options (--ssl-opt="SSL_version => TLSv1" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE").
--curl-opt	Set CURL Options (--curl-opt="CURLOPT_SSL_VERIFYPEER => 0" --curl-opt="CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_1" ).

opensslcli

Option	Description
--hostname	IP Addr/FQDN of the host.
--port	Port used by host.
--ssh-backend	Define the backend you want to use. It can be: sshcli (default), plink and libssh.
--ssh-username	Define the user name to log in to the host.
--ssh-password	Define the password associated with the user name. Cannot be used with the sshcli backend. Warning: using a password is not recommended. Use --ssh-priv-key instead.
--ssh-port	Define the TCP port on which SSH is listening.
--ssh-priv-key	Define the private key file to use for user authentication.
--sshcli-command	ssh command (default: 'ssh').
--sshcli-path	ssh command path (default: none)
--sshcli-option	Specify ssh cli options (example: --sshcli-option='-o=StrictHostKeyChecking=no').
--plink-command	plink command (default: 'plink').
--plink-path	plink command path (default: none)
--plink-option	Specify plink options (example: --plink-option='-T').
--libssh-strict-connect	Connection won't be OK even if there is a problem (server known changed or server found other) with the ssh server.

tcp

Option	Description
--hostname	IP Addr/FQDN of the host.
--port	Port used by host.
--servername	Servername of the host for SNI support (only with IO::Socket::SSL >= 1.56) (eg: foo.bar.com).
--ssl-opt	Set SSL options. Examples: Do not verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" Verify certificate: --ssl-opt="SSL_verify_mode => SSL_VERIFY_PEER" --ssl-opt="SSL_version => 'TLSv1'"
--ssl-ignore-errors	Ignore SSL handshake errors. For example: 'SSL error: SSL wants a read first'.
--timeout	Set timeout in seconds for SSL connection (Default: '3') (only with IO::Socket::SSL >= 1.984).
--starttls	Init plaintext connection and start_SSL after. Can be: 'smtp', 'ftp'.

Modes options

All available options for each service template are listed below:

X509-Certificate

Option	Description
--mode	Define the mode in which you want the plugin to be executed (see--list-mode).
--dyn-mode	Specify a mode with the module's path (advanced).
--list-mode	List all available modes.
--mode-version	Check minimal version of mode. If not, unknown error.
--version	Return the version of the plugin.
--custommode	When a plugin offers several ways (CLI, library, etc.) to get information the desired one must be defined with this option.
--list-custommode	List all available custom modes.
--multiple	Multiple custom mode objects. This may be required by some specific modes (advanced).
--pass-manager	Define the password manager you want to use. Supported managers are: environment, file, keepass, hashicorpvault and teampass.
--verbose	Display extended status information (long output).
--debug	Display debug messages.
--filter-perfdata	Filter perfdata that match the regexp. Eg: adding --filter-perfdata='avg' will remove all metrics that do not contain 'avg' from performance data.
--filter-perfdata-adv	Filter perfdata based on a "if" condition using the following variables: label, value, unit, warning, critical, min, max. Variables must be written either %{variable} or %(variable). Eg: adding --filter-perfdata-adv='not (%(value) == 0 and %(max) eq "")' will remove all metrics whose value equals 0 and that don't have a maximum value.
--explode-perfdata-max	Create a new metric for each metric that comes with a maximum limit. The new metric will be named identically with a '_max' suffix). Eg: it will split 'used_prct'=26.93%;0:80;0:90;0;100 into 'used_prct'=26.93%;0:80;0:90;0;100 'used_prct_max'=100%;;;;
--change-perfdata --extend-perfdata	Change or extend perfdata. Syntax: --extend-perfdata=searchlabel,newlabel,target[,[newuom],[min],[m ax]] Common examples: Convert storage free perfdata into used: --change-perfdata=free,used,invert() Convert storage free perfdata into used: --change-perfdata=used,free,invert() Scale traffic values automatically: --change-perfdata=traffic,,scale(auto) Scale traffic values in Mbps: --change-perfdata=traffic_in,,scale(Mbps),mbps Change traffic values in percent: --change-perfdata=traffic_in,,percent()
--extend-perfdata-group	Add new aggregated metrics (min, max, average or sum) for groups of metrics defined by a regex match on the metrics' names. Syntax: --extend-perfdata-group=regex,namesofnewmetrics,calculation[,[ne wuom],[min],[max]] regex: regular expression namesofnewmetrics: how the new metrics' names are composed (can use $1, $2... for groups defined by () in regex). calculation: how the values of the new metrics should be calculated newuom (optional): unit of measure for the new metrics min (optional): lowest value the metrics can reach max (optional): highest value the metrics can reach Common examples: Sum wrong packets from all interfaces (with interface need --units-errors=absolute): --extend-perfdata-group=',packets_wrong,sum(packets_(discard |error)_(in|out))' Sum traffic by interface: --extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traf fic_(in|out)_$1)'
--change-short-output --change-long-output	Modify the short/long output that is returned by the plugin. Syntax: --change-short-output=pattern~replacement~modifier Most commonly used modifiers are i (case insensitive) and g (replace all occurrences). Eg: adding --change-short-output='OK~Up~gi' will replace all occurrences of 'OK', 'ok', 'Ok' or 'oK' with 'Up'
--change-exit	Replace an exit code with one of your choice. Eg: adding --change-exit=unknown=critical will result in a CRITICAL state instead of an UNKNOWN state.
--range-perfdata	Rewrite the ranges displayed in the perfdata. Accepted values: 0: nothing is changed. 1: if the lower value of the range is equal to 0, it is removed. 2: remove the thresholds from the perfdata.
--filter-uom	Mask the units when they don't match the given regular expression.
--opt-exit	Replace the exit code in case of an execution error (i.e. wrong option provided, SSH connection refused, timeout, etc). Default: unknown.
--output-ignore-perfdata	Remove all the metrics from the service. The service will still have a status and an output.
--output-ignore-label	Remove the status label ("OK:", "WARNING:", "UNKNOWN:", CRITICAL:") from the beginning of the output. Eg: 'OK: Ram Total:...' will become 'Ram Total:...'
--output-xml	Return the output in XML format (to send to an XML API).
--output-json	Return the output in JSON format (to send to a JSON API).
--output-openmetrics	Return the output in OpenMetrics format (to send to a tool expecting this format).
--output-file	Write output in file (can be combined with json, xml and openmetrics options). E.g.: --output-file=/tmp/output.txt will write the output in /tmp/output.txt.
--disco-format	Applies only to modes beginning with 'list-'. Returns the list of available macros to configure a service discovery rule (formatted in XML).
--disco-show	Applies only to modes beginning with 'list-'. Returns the list of discovered objects (formatted in XML) for service discovery.
--float-precision	Define the float precision for thresholds (default: 8).
--source-encoding	Define the character encoding of the response sent by the monitored resource Default: 'UTF-8'.
--warning-status	Define the conditions to match for the status to be WARNING. (Default: '%{expiration} \< 60'). Can use special variables like: %{expiration}, %{subject}, %{issuer}, %{alt_subjects}.
--critical-status	Define the conditions to match for the status to be CRITICAL. (Default: '%{expiration} \< 30'). Can use special variables like: %{expiration}, %{subject}, %{issuer}, %{alt_subjects}. Examples : Raise a critical alarm if certificate expires in less than 30 days or does not cover alternative name 'my.app.com' --critical-status='%{expiration} \< 30 || %{alt_subjects} !~ /my.app.com/'

All available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins/centreon_protocol_x509.pl \
    --plugin=apps::protocols::x509::plugin \
    --mode=certificate \
    --custommode='tcp' \
    --help