Jody Davis
asked on
Solarwinds SSL Certificate Expiration alerts almost every day/appears config correctly
CurrentCertSettings.docx
Our currently-departed Network Engineer configured SSL Cert monitoring for expiration on select servers before he left. Now, basically every day the monitor sends emails that SSL Certificate Expiration data has expired, when they haven't upon inspection. An email comes eventually that resets the status. But tomorrow, it will happen again. Rinse, repeat every day. Quite annoying.
I've attached a pic of our current Solarwinds Cert Expiration settings as well as the computer-level cert store for a server it said had a SSL cert expired then reset the next day. All settings seem ok according to instructions online.
1. What could be causing this behavior?
2. What could be wrong with the settings?
3. Does the monitor look in all the cert containers, or just Personal/Certificates?
4. How can i resolve this?
Our currently-departed Network Engineer configured SSL Cert monitoring for expiration on select servers before he left. Now, basically every day the monitor sends emails that SSL Certificate Expiration data has expired, when they haven't upon inspection. An email comes eventually that resets the status. But tomorrow, it will happen again. Rinse, repeat every day. Quite annoying.
I've attached a pic of our current Solarwinds Cert Expiration settings as well as the computer-level cert store for a server it said had a SSL cert expired then reset the next day. All settings seem ok according to instructions online.
1. What could be causing this behavior?
2. What could be wrong with the settings?
3. Does the monitor look in all the cert containers, or just Personal/Certificates?
4. How can i resolve this?
Are you checking the correct servers (the web servers)
Just run the openssl tool against your IP for more detail.
Something like this...
Using -connect $your-ip varying
This will tell you how your cert appears to external requests (outside the machine).
Once you have this data, you can determine your next debug step.
Something like this...
imac> echo QUIT | openssl s_client -connect davidfavor.com:443 -servername davidfavor.com 2>&1 | openssl x509 -noout -text | egrep -e DNS: -e "Not After"
Not After : Jan 29 02:07:00 2021 GMT
DNS:*.davidfavor.com, DNS:davidfavor.com
Using -connect $your-ip varying
-servername $host
for each host your cert covers.This will tell you how your cert appears to external requests (outside the machine).
Once you have this data, you can determine your next debug step.
ASKER
David Favor,
I ran the following command as directed and output is below (certain aspects obscured). This site is hosted by a single-server only.
*** it shows a single certificate (expected to see that cert used) and the Validity hasn't expired.
*** Why is it continuing to alert while the single cert is sees has Validity yet to expire??
C:\Users\Me>echo QUIT | openssl s_client -connect ourdomain.com:443 -servername ourdomain.com 2>&1 | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
38:07:75:2f:91:9c:08:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Dec 18 17:07:13 2018 GMT
Not After : Feb 16 11:13:10 2021 GMT
Subject: OU = Domain Control Validated, CN = *.ourdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.godaddy.com/gdig2s1-899.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Policy: 2.23.140.1.2.1
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
keyid:***************************************************
X509v3 Subject Alternative Name:
DNS:*.ourdomain.com, DNS:ourdomain.com
X509v3 Subject Key Identifier:
*********************************************************
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Dec 18 17:07:14.524 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
Timestamp : Dec 18 17:07:15.701 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 44:94:65:2E:B0:EE:CE:AF:C4:40:07:D8:A8:FE:28:C0:
DA:E6:82:BE:D8:CB:31:B5:3F:D3:33:96:B5:B6:81:A8
Timestamp : Dec 18 17:07:16.480 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Signature Algorithm: sha256WithRSAEncryption
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
I ran the following command as directed and output is below (certain aspects obscured). This site is hosted by a single-server only.
*** it shows a single certificate (expected to see that cert used) and the Validity hasn't expired.
*** Why is it continuing to alert while the single cert is sees has Validity yet to expire??
C:\Users\Me>echo QUIT | openssl s_client -connect ourdomain.com:443 -servername ourdomain.com 2>&1 | openssl x509 -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
38:07:75:2f:91:9c:08:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Dec 18 17:07:13 2018 GMT
Not After : Feb 16 11:13:10 2021 GMT
Subject: OU = Domain Control Validated, CN = *.ourdomain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.godaddy.com/gdig2s1-899.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Policy: 2.23.140.1.2.1
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
keyid:***************************************************
X509v3 Subject Alternative Name:
DNS:*.ourdomain.com, DNS:ourdomain.com
X509v3 Subject Key Identifier:
*********************************************************
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A:
3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10
Timestamp : Dec 18 17:07:14.524 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : EE:4B:BD:B7:75:CE:60:BA:E1:42:69:1F:AB:E1:9E:66:
A3:0F:7E:5F:B0:72:D8:83:00:C4:7B:89:7A:A8:FD:CB
Timestamp : Dec 18 17:07:15.701 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 44:94:65:2E:B0:EE:CE:AF:C4:40:07:D8:A8:FE:28:C0:
DA:E6:82:BE:D8:CB:31:B5:3F:D3:33:96:B5:B6:81:A8
Timestamp : Dec 18 17:07:16.480 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
Signature Algorithm: sha256WithRSAEncryption
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
*******************************
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.