SSLCertMonitor This monitor is used to test if a SSL certificate presented by a remote network server are valid. A certificate is invalid if its initial time is prior to the current time, or if the current time is prior to 7 days (configurable) before the expiration time. You can simulate the behavior by running a command like this: echo | openssl s_client -connect <site>:<port> 2>/dev/null | openssl x509 -noout -dates The output shows you the time range a certificate is valid: notBefore=Dec 24 14:11:34 2013 GMT notAfter=Dec 25 10:37:40 2014 GMT You can configure a threshold in days applied on the notAfter date. While the monitor is mainly useful for plain SSL sockets, the monitor does provide limited support for STARTTLS protocols by providing the user with the ability to specify a STARTTLS message to be sent prior to the SSL negotiation and a regular expression to match to the response received from the server. An additional preliminary message and response regular expression pair is available for protocols that require it (such as XMPP). This monitor implements placeholder substitution in parameter values. Monitor Facts Class Name org.opennms.netmgt.poller.monitors.SSLCertMonitor Remote Enabled true Configuration and Use Table 1. Monitor specific parameters for the SSLCertMonitor Parameter Description Required Default value Placeholder substition port TCP port for the service with SSL certificate. required -1 No retry Number of attempts to get the certificate state optional 0 No days Number of days before the certificate expires that we mark the service as failed. optional 7 No server-name This is the DNS hostname to send as part of the TLS negotiation, known as server name indication (SNI) (See: RFC3546 section 3.1) optional - No starttls-preamble Preliminary message to send to server prior to STARTTLS command. optional `` Yes starttls-preamble-response Regular expression which must match response to preliminary message sent to server prior to STARTTLS command. optional `` Yes starttls-start STARTTLS command. optional `` Yes starttls-start-response Regular expression which must match response to STARTTLS command sent to server. optional `` Yes This monitor implements the Common Configuration Parameters. Table 2. Variables which can be passed in the configuration for server-name Variable Description ${ipaddr} The node’s IP-Address ${\nodeidl} The node ID ${nodelabel} Label of the node the monitor is associated to. ${svcname} The service name The monitor has limited support for communicating on other protocol layers above the SSL session layer. The STARTTLS support has only been tested with a single XMPP server. It is not known if the same approach will prove useful for other use cases, like sending a Host header for HTTPS, or issue a STARTTLS command for IMAP, POP3, SMTP, FTP, LDAP, or NNTP. Examples The following examples show how to monitor SSL certificates on services like IMAPS, SMTPS and HTTPS as well as an example use of the STARTTLS feature for XMPP. If the certificates expire within 30 days the service goes down and indicates this issue in the reason of the monitor. In this example the monitoring interval is reduced to test the certificate every 2 hours (7,200,000 ms). Configuration in poller-configuration.xml is as the following: <service name="SSL-Cert-IMAPS-993" interval="7200000" user-defined="false" status="on"> <parameter key="retry" value="2"/> <parameter key="timeout" value="2000"/> <parameter key="port" value="993"/> <parameter key="days" value="30"/> </service> <service name="SSL-Cert-SMTPS-465" interval="7200000" user-defined="false" status="on"> <parameter key="retry" value="2"/> <parameter key="timeout" value="2000"/> <parameter key="port" value="465"/> <parameter key="days" value="30"/> </service> <service name="SSL-Cert-HTTPS-443" interval="7200000" user-defined="false" status="on"> <parameter key="retry" value="2"/> <parameter key="timeout" value="3000"/> <parameter key="port" value="443"/> <parameter key="days" value="30"/> <parameter key="server-name" value="$\{nodelabel}.example.com"/> </service> <service name="XMPP-STARTTLS-5222" interval="7200000" user-defined="false" status="on"> <parameter key="retry" value="2"/> <parameter key="timeout" value="3000"/> <parameter key="port" value="5222"/> <parameter key="days" value="30"/> <parameter key="starttls-preamble" value="<stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='{ipAddr}' version='1.0'>"/> <parameter key="starttls-preamble-response" value="^.*starttls.*$"/> <parameter key="starttls-start" value="<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"/> <parameter key="starttls-start-response" value="^.*starttls.*$"/> </service> <monitor service="SSL-Cert-IMAPS-993" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor" /> <monitor service="SSL-Cert-SMTPS-465" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor" /> <monitor service="SSL-Cert-HTTPS-443" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor" /> <monitor service="XMPP-STARTTLS-5222" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor" />