Page MenuHomePhabricator

Should we have a specific check for SSL certificate expiration on elasticsearch
Closed, ResolvedPublic


We do have icinga checks on SSL certificates for externally facing services. In the context of elasticsearch, the service is purely internal at this point. It relies on Puppet SSL certificates, so we *might* already have something in place to check their expiration. In any case, we need to make sure that we will have early warning of their expiration.

Event Timeline

Gehel created this task.Mar 18 2016, 1:41 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMar 18 2016, 1:41 PM

Icinga check command ssl-cert-check is defined in modules/nagios_common/files/checkcommands.cfg. It might make sense to use it...

Gehel added a comment.Mar 23 2016, 4:20 PM

@faidon said: "yes we should", @Gehel will implement this.

Change 279154 had a related patch set uploaded (by Gehel):
Adding an Icinga check for SSL certificate

Change 279154 merged by Gehel:
elasticsarch: add Icinga check for SSL certificate

Mentioned in SAL [2016-03-24T10:18:44Z] <gehel> activating SSL certificate check on elasticsearch - T130366

Change 279331 had a related patch set uploaded (by Gehel):
Corrected port number to check for SSL cert on elasticsearch

Change 279331 merged by Gehel:
Corrected port number to check for SSL cert on elasticsearch

Change is now deployed on all elasticsearch servers. After some back and forth (wrong port configured in the check, error in puppet merge) icinga is now green again.

Dzahn added a comment.Mar 24 2016, 4:25 PM

one of them: (elastic1001)

"SSL OK - Certificate elastic1001.eqiad.wmnet valid until 2021-03-15 19:57:34 +0000 (expires in 1817 days)"

and here are all of them at the same time:

@Gehel Looks resolved to me, cool!

Deskana closed this task as Resolved.Mar 24 2016, 4:28 PM
Restricted Application edited projects, added Discovery-Search; removed Discovery-Search (Current work). · View Herald TranscriptJun 7 2017, 6:43 PM