Supervision des Certificats HTTPS & Windows

Hello, nous allons voir dans cet article comment superviser la date d’expiration de vos certificats HTTPS ainsi que les certificats racine Windows avec Centreon, NSClient++ et Centreon Plugin Packs.

Ce qu’il vous faut :

• Centreon Server (je suis version 20.10.3)  
• Centreon Plugin Packs :Install/Update Centreon plugin packs
• NSClient++ pour Windows : Télécharger
• Script PowerShell : Télécharger  | source : exchange.nagios.org

Et bien sûr un site en HTTPS et des certifications racine Windows Server.

HTTPS Certificats Validity Plugin

Commençons par la supervision des certificats de vos sites web HTTPS. Je vous donne la commande CLI et la commande UI (Centreon-web).

Nous allons utiliser le  plugin : PLUGIN: apps::protocols::x509::plugin

[root@pixelabs plugins]# ./centreon_plugins.pl --list-plugin | grep protocol | grep PLUGIN
PLUGIN: apps::protocols::bgp::4::plugin
PLUGIN: apps::protocols::dhcp::plugin
PLUGIN: apps::protocols::dns::plugin
PLUGIN: apps::protocols::ftp::plugin
PLUGIN: apps::protocols::http::plugin
PLUGIN: apps::protocols::imap::plugin
PLUGIN: apps::protocols::jmx::plugin
PLUGIN: apps::protocols::ldap::plugin
PLUGIN: apps::protocols::modbus::plugin
PLUGIN: apps::protocols::nrpe::plugin
PLUGIN: apps::protocols::ntp::plugin
PLUGIN: apps::protocols::ospf::snmp::plugin
PLUGIN: apps::protocols::radius::plugin
PLUGIN: apps::protocols::smtp::plugin
PLUGIN: apps::protocols::snmp::plugin
PLUGIN: apps::protocols::ssh::plugin
PLUGIN: apps::protocols::tcp::plugin
PLUGIN: apps::protocols::telnet::plugin
PLUGIN: apps::protocols::tftp::plugin
PLUGIN: apps::protocols::udp::plugin
PLUGIN: apps::protocols::x509::plugin
[root@pixelabs plugins]#

Il n’y a bien sûr qu’un seul mode :

[root@pixelabs plugins]# ./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --list-mode

Plugin Description:
    Check X509's certificate validity.

Global Options:
    --mode  Choose a mode.

    --dyn-mode
            Specify a mode with the path (separated by '::').

    --list-mode
            List available modes.

    --mode-version
            Check minimal version of mode. If not, unknown error.

    --version
            Display plugin version.

    --custommode
            Choose a custom mode.

    --list-custommode
            List available custom modes.

    --multiple
            Multiple custom mode objects (required by some specific modes)

    --pass-manager
            Use a password manager.

Modes Meta:
   multi

Modes Available:
   certificate
[root@pixelabs plugins]#

Ensuite, il est possible de checker via le protocole HTTPS ou TCP :

[root@pixelabs plugins]# ./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --list-custommode

Plugin Description:
    Check X509's certificate validity.

Global Options:
    --mode  Choose a mode.

    --dyn-mode
            Specify a mode with the path (separated by '::').

    --list-mode
            List available modes.

    --mode-version
            Check minimal version of mode. If not, unknown error.

    --version
            Display plugin version.

    --custommode
            Choose a custom mode.

    --list-custommode
            List available custom modes.

    --multiple
            Multiple custom mode objects (required by some specific modes)

    --pass-manager
            Use a password manager.

Custom Modes Available:
   https
   tcp
[root@pixelabs plugins]#

Pour ma part, je vais utiliser HTTPS.

Afficher la page d’aide pour voir les options.

[root@pixelabs plugins]# ./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --help

Plugin Description:
    Check X509's certificate validity.

Global Options:
    --mode  Choose a mode.

    --dyn-mode
            Specify a mode with the path (separated by '::').

    --list-mode
            List available modes.

    --mode-version
            Check minimal version of mode. If not, unknown error.

    --version
            Display plugin version.

    --custommode
            Choose a custom mode.

    --list-custommode
            List available custom modes.

    --multiple
            Multiple custom mode objects (required by some specific modes)

    --pass-manager
            Use a password manager.

Output Options:
    --verbose
            Display long output.

    --debug Display also debug messages.

    --filter-perfdata
            Filter perfdata that match the regexp.

    --explode-perfdata-max
            Put max perfdata (if it exist) in a specific perfdata (without
            values: same with '_max' suffix) (Multiple options)

    --change-perfdata --extend-perfdata
            Change or extend perfdata. Syntax:
            --extend-perfdata=searchlabel,newlabel,target[,[newuom],[min],[m
            ax]]

            Common examples:

                Change storage free perfdata in used:
                --change-perfdata=free,used,invert()

                Change storage free perfdata in used:
                --change-perfdata=used,free,invert()

                Scale traffic values automaticaly:
                --change-perfdata=traffic,,scale(auto)

                Scale traffic values in Mbps:
                --change-perfdata=traffic_in,,scale(Mbps),mbps

                Change traffic values in percent:
                --change-perfdata=traffic_in,,percent()

    --extend-perfdata-group
            Extend perfdata from multiple perfdatas (methods in target are:
            min, max, average, sum) Syntax:
            --extend-perfdata-group=searchlabel,newlabel,target[,[newuom],[m
            in],[max]]

            Common examples:

                Sum wrong packets from all interfaces (with interface need
                --units-errors=absolute):
                --extend-perfdata-group=',packets_wrong,sum(packets_(discard
                |error)_(in|out))'

                Sum traffic by interface:
                --extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traf
                fic_(in|out)_$1)'

    --change-short-output
            Change short output display.
            --change-short-output=pattern~replace~modifier

    --range-perfdata
            Change perfdata range thresholds display: 1 = start value equals
            to '0' is removed, 2 = threshold range is not display.

    --filter-uom
            Filter UOM that match the regexp.

    --opt-exit
            Optional exit code for an execution error (i.e. wrong option
            provided, SSH connection refused, timeout, etc) (Default:
            unknown).

    --output-ignore-perfdata
            Remove perfdata from output.

    --output-ignore-label
            Remove label status from output.

    --output-xml
            Display output in XML format.

    --output-json
            Display output in JSON format.

    --output-openmetrics
            Display metrics in OpenMetrics format.

    --output-file
            Write output in file (can be used with json and xml options)

    --disco-format
            Display discovery arguments (if the mode manages it).

    --disco-show
            Display discovery values (if the mode manages it).

    --float-precision
            Set the float precision for thresholds (Default: 8).

    --source-encoding
            Set encoding of monitoring sources (In some case. Default:
            'UTF-8').

Custom Https Options:
    http connection

    --hostname
            IP Addr/FQDN of the webserver host

    --port  Port used by Webserver (Default: 443)

    --method
            Specify http method used (Default: 'GET')

    --urlpath
            Set path to get webpage (Default: '/')

    --timeout
            Threshold for HTTP timeout (Default: 5)

    --header
            Set HTTP headers (Multiple option)

Http Global Options:
    --http-peer-addr
            Set the address you want to connect (Useful if hostname is only
            a vhost. no ip resolve)

    --proxyurl
            Proxy URL

    --proxypac
            Proxy pac file (can be an url or local file)

    --insecure
            Insecure SSL connections.

    --http-backend
            Set the backend used (Default: 'lwp') For curl:
            --http-backend=curl

Backend lwp Options:
    --ssl-opt
            Set SSL Options (--ssl-opt="SSL_version => TLSv1"
            --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE").

    --ssl   Set SSL version (--ssl=TLSv1).

Backend Curl Options:
    --curl-opt
            Set CURL Options (--curl-opt="CURLOPT_SSL_VERIFYPEER => 0"
            --curl-opt="CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_1" ).

Mode:
    Check X509's certificate validity (for SMTPS, POPS, IMAPS, HTTPS)

    --warning-status
            Set warning threshold for status. (Default: '%{expiration} <
            60'). Can use special variables like: %{expiration}, %{subject},
            %{issuer}, %{alt_subjects}.

    --critical-status
            Set critical threshold for status. (Default: '%{expiration} <
            30'). Can use special variables like: %{expiration}, %{subject},
            %{issuer}, %{alt_subjects}.

            Examples :

            Raise a critical alarm if certificate expires in less than 30
            days or does not cover alternative name 'my.app.com'
            --critical-status='%{expiration} < 30 || %{alt_subjects} !~
            /my.app.com/'

[root@pixelabs plugins]#

Check HTTPS Certificats Validity

Je check mon propre blog : pixelabs.fr

[root@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --hostname=pixelabs.fr --port=443 --warning-status='%{expiration} < 20' --critical-status='%{expiration} < 10' --verbose
OK: Certificate for 'pixelabs.fr' expires in '43' days [2021-05-06T14:53:07Z] - Issuer: '/C=US/O=Let's Encrypt/CN=R3' |
Alternative subject names: mail.pixelabs.fr, pixelabs.fr, www.pixelabs.fr.
[root@pixelabs plugins]#

N’oubliez pas de rajouter les macros : Configuration > Collecteurs > Resources

• $_SERVICEPLUGIN$
• $_SERVICEMODE$
• $_SERVICECUSTOMCOMMAND$
• $_SERVICEHOST$
• $_SERVICEPORT$
• $_SERVICEWARNING$
• $_SERVICECRITICAL$
• $_SERVICEEXTRAOPTIONS$

Voici la commande pour Centreon web :

• Configuration > Commandes > Vérification
• Nom : HTTP-Certificat-Validity
• Commande :

$USER2$/centreon_plugins.pl --plugin=$_SERVICEPLUGIN$ --mode=$_SERVICEMODE$ --custommode=$_SERVICECUSTOMCOMMAND$ --hostname=$_SERVICEHOST$ --port=$_SERVICEPORT$ --warning-status=$_SERVICEWARNING$ --critical-status=$_SERVICECRITICAL$ $_SERVICEEXTRAOPTIONS$

Exemple de service rapidos :

Il reste maintenant à mettre en place ce service sur tous vos sites Web HTTPS.

Pensez à mettre en place les modèles de services. Cela permet de modifier que l’HOST, le reste ne bouge pas. Au boulot !

Installation NSClient++

Toujours compliqué avec Windows…installer des agents de partout…etc, les articles sous Windows ça me décourage grave, surtout quant-il faut prendre des screenshots…

Enfin bref… on y va.

Sur votre Windows Server, installer l’agent NSClient++ par défaut.

• Cochez les cases comme sur le screen ci-dessous.
  • Allowed hosts : 192.168.1.30est l’adresse IP du serveur Centreon
  • Password : ajouter un mot de passe (peut être modifié facilement plus tard)

• Cliquez sur Next et laisser le reste par défaut.

Configuration NSClient++

Allez dans le fichier de configuration NSClient++. Par défaut, le fichier se trouve ici : C:\Program Files\NSClient++\nsclient.ini

Si vous utilisez déjà NSClient et que vous avez votre propre configuration. Ajoutez simplement cette ligne :

Sous le bloc [/settings/external scripts/scripts] 

[/settings/external scripts/scripts] 
allow arguments = true 
allow nasty characters = true 

check_ca=cmd /c echo C:\Centreon\check-certificate-expiration.ps1; | powershell.exe -command -

Ma commande s’appelle check_ca et j’ai mis le scripts dans C:\Centreon.

Si vous utilisez NSClient pour la première fois, remplacer par mon fichier ci-dessous :

Remarque : n’oubliez pas de changer l’adresse IP à la ligne 12 (et le mot de passe) : allowed hosts = 192.168.1.30

# If you want to fill this file with all available options run the following command:
#   nscp settings --generate --add-defaults --load-all
# If you want to activate a module and bring in all its options use:
#   nscp settings --activate-module <MODULE NAME> --add-defaults
# For details run: nscp settings --help


; in flight - TODO
[/settings/default]

password = pixelabs.fr
allowed hosts = 192.168.1.30

[/settings/NRPE/server]

insecure = true
use ssl = 
ssl options = 
verify mode = false
allow arguments = true
allow nasty characters = true

[/modules]

CheckNSCP = enabled
WEBServer = enabled
CheckSystem = enabled
NSClientServer = enabled
NSCAClient = enabled
NRPEServer = enabled
CheckExternalScripts = enabled
CheckHelpers = enabled
CheckEventLog = enabled
CheckDisk = enabled

[/settings/external scripts/scripts]
allow arguments = true
allow nasty characters = true

check_ca=cmd /c echo C:\Centreon\check-certificate-expiration.ps1; | powershell.exe -command -

[/settings/external scripts/wrapped scripts]
allow arguments = true
allow nasty characters = true

[/settings/external scripts/wrappings]
allow arguments = true
allow nasty characters = true

bat = scripts\\%SCRIPT% %ARGS%
vbs = cscript.exe //T:30 //NoLogo scripts\\lib\\wrapper.vbs %SCRIPT% %ARGS%
ps1 = cmd /c echo If (-Not (Test-Path "scripts\%SCRIPT%") ) { Write-Host "UNKNOWN: Script `"%SCRIPT%`" not found."; exit(3) }; scripts\%SCRIPT% $ARGS$; exit($lastexitcode) | powershell.exe /noprofile -command -

[/settings/external scripts/alias]
allow arguments = true
allow nasty characters = true

alias_cpu=checkCPU warn=95 crit=90 time=5m time=1m time=30s
alias_cpu_ex=checkCPU warn=$ARG1$ crit=$ARG2$ time=5m time=1m time=30s
alias_mem=checkMem MaxWarn=80% MaxCrit=90% ShowAll=long type=physical type=virtual type=paged type=page
alias_up=checkUpTime MinWarn=1d MinWarn=1h

alias_disk=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED
alias_disk_loose=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll FilterType=FIXED ignore-unreadable
alias_volumes=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED
alias_volumes_loose=CheckDriveSize MinWarn=10% MinCrit=5% CheckAll=volumes FilterType=FIXED ignore-unreadable 

alias_service=checkServiceState CheckAll
alias_service_ex=checkServiceState CheckAll "exclude=Net Driver HPZ12" "exclude=Pml Driver HPZ12" exclude=stisvc
alias_process=checkProcState "$ARG1$=started"
alias_process_stopped=checkProcState "$ARG1$=stopped"
alias_process_count=checkProcState MaxWarnCount=$ARG2$ MaxCritCount=$ARG3$ "$ARG1$=started"
alias_process_hung=checkProcState MaxWarnCount=1 MaxCritCount=1 "$ARG1$=hung"

alias_event_log=CheckEventLog file=application file=system MaxWarn=1 MaxCrit=1 "filter=generated gt -2d AND severity NOT IN ('success', 'informational') AND source != 'SideBySide'" truncate=800 unique descriptions "syntax=%severity%: %source%: %message% (%count%)"

alias_file_size=CheckFiles "filter=size > $ARG2$" "path=$ARG1$" MaxWarn=1 MaxCrit=1 "syntax=%filename% %size%" max-dir-depth=10
alias_file_age=checkFile2 filter=out "file=$ARG1$" filter-written=>1d MaxWarn=1 MaxCrit=1 "syntax=%filename% %write%"

alias_sched_all=CheckTaskSched "filter=exit_code ne 0" "syntax=%title%: %exit_code%" warn=>0
alias_sched_long=CheckTaskSched "filter=status = 'running' AND most_recent_run_time < -$ARG1$" "syntax=%title% (%most_recent_run_time%)" warn=>0
alias_sched_task=CheckTaskSched "filter=title eq '$ARG1$' AND exit_code ne 0" "syntax=%title% (%most_recent_run_time%)" warn=>0

alias_updates=check_updates -warning 0 -critical 0

check_ok=CheckOK Everything is fine!

ATTENTION : Rebooter le service NSClient++

Après chaque modification dans le fichier de configuration NSClient, il faut relancer le service.

Windows Certificats Validity Plugin

Nous allons allons utiliser le plugin NRPE.

[root@pixelabs plugins]# ./centreon_plugins.pl --list-plugin | grep nrpe | grep PLUGIN
PLUGIN: apps::protocols::nrpe::plugin
[root@@pixelabs  plugins]#

Les modes disponibles :

[root@@pixelabs  plugins]# perl centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --list-mode

Plugin Description:
    Trigger commands against NRPE/NSClient agent.

Global Options:
    --mode  Choose a mode.

    --dyn-mode
            Specify a mode with the path (separated by '::').

    --list-mode
            List available modes.

    --mode-version
            Check minimal version of mode. If not, unknown error.

    --version
            Display plugin version.

    --custommode
            Choose a custom mode.

    --list-custommode
            List available custom modes.

    --multiple
            Multiple custom mode objects (required by some specific modes)

    --pass-manager
            Use a password manager.

Modes Meta:
   multi

Modes Available:
   query
[root@@pixelabs  plugins]#

Toujours penser à afficher de l’aide pour construire votre commande facilement :

[root@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --mode=query --custommode=nrpe --help

Plugin Description:
    Trigger commands against NRPE/NSClient agent.

Global Options:
    --mode  Choose a mode.

    --dyn-mode
            Specify a mode with the path (separated by '::').

    --list-mode
            List available modes.

    --mode-version
            Check minimal version of mode. If not, unknown error.

    --version
            Display plugin version.

    --custommode
            Choose a custom mode.

    --list-custommode
            List available custom modes.

    --multiple
            Multiple custom mode objects (required by some specific modes)

    --pass-manager
            Use a password manager.

Output Options:
    --verbose
            Display long output.

    --debug Display also debug messages.

    --filter-perfdata
            Filter perfdata that match the regexp.

    --explode-perfdata-max
            Put max perfdata (if it exist) in a specific perfdata (without
            values: same with '_max' suffix) (Multiple options)

    --change-perfdata --extend-perfdata
            Change or extend perfdata. Syntax:
            --extend-perfdata=searchlabel,newlabel,target[,[newuom],[min],[m
            ax]]

            Common examples:

                Change storage free perfdata in used:
                --change-perfdata=free,used,invert()

                Change storage free perfdata in used:
                --change-perfdata=used,free,invert()

                Scale traffic values automaticaly:
                --change-perfdata=traffic,,scale(auto)

                Scale traffic values in Mbps:
                --change-perfdata=traffic_in,,scale(Mbps),mbps

                Change traffic values in percent:
                --change-perfdata=traffic_in,,percent()

    --extend-perfdata-group
            Extend perfdata from multiple perfdatas (methods in target are:
            min, max, average, sum) Syntax:
            --extend-perfdata-group=searchlabel,newlabel,target[,[newuom],[m
            in],[max]]

            Common examples:

                Sum wrong packets from all interfaces (with interface need
                --units-errors=absolute):
                --extend-perfdata-group=',packets_wrong,sum(packets_(discard
                |error)_(in|out))'

                Sum traffic by interface:
                --extend-perfdata-group='traffic_in_(.*),traffic_$1,sum(traf
                fic_(in|out)_$1)'

    --change-short-output
            Change short output display.
            --change-short-output=pattern~replace~modifier

    --range-perfdata
            Change perfdata range thresholds display: 1 = start value equals
            to '0' is removed, 2 = threshold range is not display.

    --filter-uom
            Filter UOM that match the regexp.

    --opt-exit
            Optional exit code for an execution error (i.e. wrong option
            provided, SSH connection refused, timeout, etc) (Default:
            unknown).

    --output-ignore-perfdata
            Remove perfdata from output.

    --output-ignore-label
            Remove label status from output.

    --output-xml
            Display output in XML format.

    --output-json
            Display output in JSON format.

    --output-openmetrics
            Display metrics in OpenMetrics format.

    --output-file
            Write output in file (can be used with json and xml options)

    --disco-format
            Display discovery arguments (if the mode manages it).

    --disco-show
            Display discovery values (if the mode manages it).

    --float-precision
            Set the float precision for thresholds (Default: 8).

    --source-encoding
            Set encoding of monitoring sources (In some case. Default:
            'UTF-8').

Custom Mode Options:
    NRPE protocol

    --hostname
            Remote hostname or IP address.

Nrpe Class Options:
    --nrpe-version
            Version: 2 for NRPE v2 (Default), 3 for NRPE v3.

    --nrpe-port
            Port (Default: 5666).

    --nrpe-payload
            Buffer payload (For v2 only) (Default: 1024).

    --nrpe-bindaddr
            Bind to local address.

    --nrpe-use-ipv4
            Use IPv4 only

    --nrpe-use-ipv6
            Use IPv6 only

    --nrpe-timeout
            Timeout in secondes (Default: 10).

    --ssl-opt
            Set SSL Options (--ssl-opt="SSL_version => 'TLSv1'"
            --ssl-opt="SSL_verify_mode => 0" --ssl-opt="SSL_cipher_list =>
            ALL").

Mode:
    Trigger commands against NRPE/NSClient agent.

    --command
        Set command. In nrpe use following command to get server version:
        --command='_NRPE_CHECK'

    --arg
        Set arguments (Multiple option. Example: --arg='arg1' --arg='arg2').

    --sanitize-message
        Sanitize message by removing heading code and separator from
        returned message (ie "OK - ").

[root@pixelabs plugins]#

Check Windows Certificats Validity

Check Windows Certificats :

[root@pixelabs plugins]# perl centreon_plugins.pl --plugin=apps::protocols::nrpe::plugin --mode=query --hostname=dc-pixel01.pixelabs.lan --custommode=nrpe --command=check_ca --nrpe-timeout=30 --verbose
EXPIRED CN=PIXELABS, DC=PIXELABS, DC=LAN expired 22/11/2020 10:03:07
EXPIRED CN=*.pixelabs.lan, OU=PIXELABS, O=PIXEL, L=TOULOUSE, S=HAUTE-GARONNE, C=FR expired 22/11/2020 10:03:07
[root@pixelabs plugins]#

Si vous utilisez ce plugin pour la première fois, vous aurez (sans doute) ces erreurs :

• Can’t locate Convert/Binary/C.pm in @INC (@INC contains: /usr/lib/centreon/plugins …..
• Can’t locate Digest/CRC.pm in @INC (@INC contains: /usr/lib/centreon/plugins ….
• Can’t locate IO/Socket/INET6.pm in @INC (@INC contains: /usr/lib/centreon/plugins ….
• Can’t locate Socket6.pm in @INC (@INC contains: /usr/lib/centreon/plugins ….

Solution : Installer les modules perl suivant :

[root@centreon plugins]# cpan -i Convert::Binary::C
[root@centreon plugins]# cpan -i Digest::CRC
[root@centreon plugins]# cpan -i IO::Socket::INET6
[root@centreon plugins]# cpan -i Socket6

N’oubliez pas de rajouter les macros : Configuration > Collecteurs > Resources

• $_SERVICEPLUGIN$
• $_SERVICEMODE$
• $_SERVICESUBCOMMAND$
• $_SERVICECOMMAND$
• $_SERVICETIMEOUT$
• $_SERVICEEXTRAOPTIONS$

Voici la commande pour Centreon web :

• Configuration > Commandes > Vérification
• Nom : NRPE-Protocol
• Commande :

$USER2$/centreon_plugins.pl --plugin=$_SERVICEPLUGIN$ --mode=$_SERVICEMODE$ --hostname=$HOSTADDRESS$ --custommode=$_SERVICESUBCOMMAND$ --command=$_SERVICECOMMAND$ --nrpe-timeout=$_SERVICETIMEOUT$ $_SERVICEOPTION$

Exemple de service :

Remarque : vous pouvez réutiliser cette commande pour d’autres hosts. Il y a que le champs COMMAND qui change selon le nom de vos commandes dans votre fichier nsclient.ini.

C’est terminé. Amusez-vous bien.

Bonne journée et à très bientôt.