followup from T108953: Cassandra inter-node encryption (TLS) is to track expirations of cassandra CA and certs, rollout involves generating new certs via cassandra-ca-manager and restart cassandra after a puppet run to deploy the updated certs
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | Dzahn | T114059 ssl expiry tracking in icinga - we don't monitor that many domains | |||
Resolved | fgiunchedi | T120662 Track/alert cassandra certs expiration |
Event Timeline
We can use the same method as in T116332 here with modules/nagios_common/files/check_commands/check_ssl_certfile that we can install where the cert is (like here and execute via NRPE. It runs "openssl x509 -checkend 324000 -noout -in $1 on the cert file. This is the method for services that use TLS but are not https or ldaps. For these protocols we have other plugins that actually connect to the server instead of just checking the certificate as a file.
another approach would be also to connect to the host directly and use check_ssl, possibly some changes/tweaks are needed too on the options
$ modules/nagios_common/files/check_commands/check_ssl -H localhost -r cert.crt -p 9999 --nosni Cannot determine hostname of peer for verification. Disabling default hostname verification for now. Please specify hostname with SSL_verifycn_name and better set SSL_verifycn_scheme too. Label too long at /usr/share/perl5/IO/Socket/SSL.pm line 1579.
additionally, an x509 cert in PEM format can be extracted from the ca file with keytool -export -alias rootca -file cert.crt -rfc -keystore server.trust
Change 305633 had a related patch set uploaded (by Filippo Giunchedi):
cassandra: add instance ssl monitoring
It has been added to Icinga and it works fine for restbase* hosts, but the cassandra role is also applied on aqs* and maps* and it does not work for all of them the same way.
examples:
working and OK on restbase1007
working and WARNS correctly about expiry on restbase-test2002
failed to connect on aqs1001 or maps2001
Change 305711 had a related patch set uploaded (by Dzahn):
cassandra: limit SSL cert monitoring to restbase hosts
Change 305711 merged by Dzahn:
cassandra: limit SSL cert monitoring to restbase hosts
Mentioned in SAL [2016-08-22T17:48:28Z] <godog> cassandra: replace certs for restbase-test200[123]-[ab] - T120662
Change 307251 had a related patch set uploaded (by Filippo Giunchedi):
cassandra: add ssl monitoring only for ssl-enabled hosts
Change 307251 merged by Dzahn:
cassandra: add ssl monitoring only for ssl-enabled hosts
merged and checked on neon. number of checks was 60 before and after / no-op. and yea, that was the better solution that i was looking for instead of my quick fix by hostname. thank you!