Page MenuHomePhabricator
Create Task
Maniphest T130366

Should we have a specific check for SSL certificate expiration on elasticsearch
Closed, ResolvedPublic
Actions

Description

We do have icinga checks on SSL certificates for externally facing services. In the context of elasticsearch, the service is purely internal at this point. It relies on Puppet SSL certificates, so we *might* already have something in place to check their expiration. In any case, we need to make sure that we will have early warning of their expiration.

Details

SubjectRepoBranchLines +/-
Corrected port number to check for SSL cert on elasticsearchoperations/puppetproduction+6 -1
elasticsarch: add Icinga check for SSL certificateoperations/puppetproduction+22 -4
Customize query in gerrit

Related Objects
Search...

Event Timeline

Gehel created this task.Mar 18 2016, 1:41 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptMar 18 2016, 1:41 PM
Gehel moved this task from Incoming to not in use - please delete on the Discovery-Search (Current work) board.Mar 18 2016, 2:06 PM

Icinga check command ssl-cert-check is defined in modules/nagios_common/files/checkcommands.cfg. It might make sense to use it...

Gehel added a comment.Mar 23 2016, 4:20 PM

@faidon said: "yes we should", @Gehel will implement this.

Dzahn subscribed.Mar 23 2016, 4:29 PM

@Gehel please also see T114059 and consider using check_ssl_http

example: https://gerrit.wikimedia.org/r/#/c/244610/3/manifests/role/nova.pp

and T114059#1743688 ff

Dzahn added a parent task: T114059: ssl expiry tracking in icinga - we don't monitor that many domains.Mar 23 2016, 4:30 PM
gerritbot added a comment.Mar 23 2016, 6:02 PM

Change 279154 had a related patch set uploaded (by Gehel):
Adding an Icinga check for SSL certificate

https://gerrit.wikimedia.org/r/279154

gerritbot added a project: Patch-For-Review.Mar 23 2016, 6:02 PM
gerritbot added a comment.Mar 24 2016, 10:18 AM

Change 279154 merged by Gehel:
elasticsarch: add Icinga check for SSL certificate

https://gerrit.wikimedia.org/r/279154

Stashbot subscribed.Mar 24 2016, 10:18 AM

Mentioned in SAL [2016-03-24T10:18:44Z] <gehel> activating SSL certificate check on elasticsearch - T130366

Gehel moved this task from not in use - please delete to Needs Reporting on the Discovery-Search (Current work) board.Mar 24 2016, 10:26 AM
gerritbot added a comment.Mar 24 2016, 10:36 AM

Change 279331 had a related patch set uploaded (by Gehel):
Corrected port number to check for SSL cert on elasticsearch

https://gerrit.wikimedia.org/r/279331

gerritbot added a comment.Mar 24 2016, 10:43 AM

Change 279331 merged by Gehel:
Corrected port number to check for SSL cert on elasticsearch

https://gerrit.wikimedia.org/r/279331

Gehel added a comment.Mar 24 2016, 12:35 PM

Change is now deployed on all elasticsearch servers. After some back and forth (wrong port configured in the check, error in puppet merge) icinga is now green again.

Dzahn added a comment.Mar 24 2016, 4:25 PM

one of them: (elastic1001)

"SSL OK - Certificate elastic1001.eqiad.wmnet valid until 2021-03-15 19:57:34 +0000 (expires in 1817 days)"

https://icinga.wikimedia.org/cgi-bin/icinga/extinfo.cgi?type=2&host=elastic1001&service=Elasticsearch+HTTPS

and here are all of them at the same time:

https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=Elasticsearch+HTTPS

@Gehel Looks resolved to me, cool!

Deskana closed this task as Resolved.Mar 24 2016, 4:28 PM
Phabricator_maintenance removed a subscriber: yuvipanda.Jun 7 2017, 6:43 PM
Restricted Application edited projects, added Discovery-Search; removed Discovery-Search (Current work). · View Herald TranscriptJun 7 2017, 6:43 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL