SSL Certificate Validation #1152
Conversation
-checks if the certificate is expired or not -warning can occur based on user settings
|
@LeoCavaille Please Review |
| @@ -174,3 +181,38 @@ def report_as_service_check(self, name, status, instance, msg=None): | |||
| message=msg | |||
| ) | |||
|
|
|||
| def report_ssl(self, host, warning_days): | |||
| if host.startswith('https://'): | |||
| url = host[8:] | |||
|
@whatarthurcodes thanks, it is I think a cool thing to have in the agent!! |
|
+1 it's going to be great to have that in the agent. The self contained agent bundles openssl (and pyopenssl). Maybe you should use that instead ? It would probably be easier. |
|
You could basically run the same command as the following: echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -dateswith pyopenssl |
|
Are you aware of a particular advantages that pyopenssl can offer, if not I think the standard ssl library serves the purpose we want it to. |
| # ssl certificate. Allow for a warning to occur when x days are | ||
| # left in the certificate. | ||
|
|
||
| check_certificate_expiration: true |
There was a problem hiding this comment.
The common practice in the example configuration is to comment all the optional parameters and to put the default value.
It's already the good value so it just need to be commented.
-used urlparse -remove ciphers -fixed example yaml
| @@ -124,6 +125,19 @@ def _process(self, instance): | |||
| result = (FAILURE, FAILURE, FAILURE, FAILURE) | |||
| self.resultsq.put(result) | |||
|
|
|||
| ssl_expire = instance.get('check_certificate_expiration', False) | |||
| if ssl_expire: | |||
There was a problem hiding this comment.
@LeoCavaille if the config defines, this section will queue another service check regarding the expiration
| @@ -174,3 +180,37 @@ def report_as_service_check(self, name, status, instance, msg=None): | |||
| message=msg | |||
| ) | |||
|
|
|||
| def report_ssl(self, instance): | |||
| warning_days = instance.get('days_warning', 14) | |||
| host = instance.get('url', None) | |||
There was a problem hiding this comment.
I am a bit confused on why this is called host and there is url below. I feel like they should be swapped?
There was a problem hiding this comment.
okay i can switch that if it makes more sense, there was no strong reasoning for either or
| return Status.WARNING, "%s" % (str(e)) | ||
|
|
||
| exp_date = datetime.strptime(cert['notAfter'], "%b %d %H:%M:%S %Y %Z") | ||
| days_left = exp_date - datetime.now() |
There was a problem hiding this comment.
You shouldn't use datetime.now. Is the date specified in the certificate in UTC or is there a timezone specified ?
There was a problem hiding this comment.
Format will be like such:
'notAfter': 'Feb 16 16:54:50 2013 GMT'
There was a problem hiding this comment.
Is it always GMT ?
If yes then use datetime.utcnow instead, if no then specify the correct timezone in datetime.now
|
Closing this PR in favor of new rebased and improved PR #1259 |
-checks if the certificate is expired or not
-warning can occur based on user settings