Get certificate from url

[benhartwich]

Is your feature request related to a problem? Please describe.

As far as I understood the x509 module I can´t check certificates directly by using the ssl port / a given remote host, but I´ve to import each to be monitored cert by command line / job. The import command uses a local cert file, but how can I import "live" hosts?

Describe the solution you'd like

It would be great, if I can also check remote "live" host´s certificates instead of importing each to be checked cert OR to provide a command, which can handle --url and --file at importing a new cert to x509.

[dnsmichi]

The idea is scan specific network ranges, e.g. 192.168.0.0/16 ... the manual import of certificates is for the CA trust store where discovered certificates are checked against.

[benhartwich]

Ok, but how is the workflow for remote server, which are hosted at AWS or Azure? Icinga2 runs per default within the company network and there is network rule, with with icinga2 local vm and remote servers can communicate. There should be the possibility to import certs from remote servers, which cannot be scanned by a ip range.

Or didn´t I get your idea exactly?

[nilmerg]

Hi, importing certificates (#18) may be a feature in the future. At the moment you'll have to setup jobs with CIDR ranges. Though, if you want to scan particular IPs you may just define their CIDR as /32. (e.g. 10.0.20.8/32 is just 10.0.20.8)

As for how to collect certificates in a DMZ, a cloud or whatever: I've already proposed in #34 to install the icingacli package along with the module there and have it speak to a remote database. I still assume this is a viable solution. Though, previously I didn't get any feedback. :/

[nilmerg]

Again no feedback. 😐 Seems like interest suffers if it gets technical.