We do have icinga checks on SSL certificates for externally facing services. In the context of elasticsearch, the service is purely internal at this point. It relies on Puppet SSL certificates, so we *might* already have something in place to check their expiration. In any case, we need to make sure that we will have early warning of their expiration.
Description
Details
Status | Subtype | Assigned | Task | ||
---|---|---|---|---|---|
Resolved | LSobanski | T111653 Encrypt all the things | |||
Resolved | Gehel | T124444 Look into encrypting Elasticsearch traffic | |||
Resolved | Dzahn | T114059 ssl expiry tracking in icinga - we don't monitor that many domains | |||
Resolved | Gehel | T130366 Should we have a specific check for SSL certificate expiration on elasticsearch |
Event Timeline
Icinga check command ssl-cert-check is defined in modules/nagios_common/files/checkcommands.cfg. It might make sense to use it...
@Gehel please also see T114059 and consider using check_ssl_http
example: https://gerrit.wikimedia.org/r/#/c/244610/3/manifests/role/nova.pp
and T114059#1743688 ff
Change 279154 had a related patch set uploaded (by Gehel):
Adding an Icinga check for SSL certificate
Mentioned in SAL [2016-03-24T10:18:44Z] <gehel> activating SSL certificate check on elasticsearch - T130366
Change 279331 had a related patch set uploaded (by Gehel):
Corrected port number to check for SSL cert on elasticsearch
Change 279331 merged by Gehel:
Corrected port number to check for SSL cert on elasticsearch
Change is now deployed on all elasticsearch servers. After some back and forth (wrong port configured in the check, error in puppet merge) icinga is now green again.
one of them: (elastic1001)
"SSL OK - Certificate elastic1001.eqiad.wmnet valid until 2021-03-15 19:57:34 +0000 (expires in 1817 days)"
and here are all of them at the same time:
https://icinga.wikimedia.org/cgi-bin/icinga/status.cgi?search_string=Elasticsearch+HTTPS
@Gehel Looks resolved to me, cool!