[MediaWiki-commits] [Gerrit] operations/puppet[production]: check_ssl: Use a maximum percentage of certificate validity ...

Wed, 07 Sep 2016 16:31:45 -0700 

Alex Monk has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/309203

Change subject: check_ssl: Use a maximum percentage of certificate validity 
time for determining alert state
......................................................................

check_ssl: Use a maximum percentage of certificate validity time for 
determining alert state

I have chosen 83.5% for warning and 91.8% for critical.

If I've done it right this means that:
* Certificates valid for 90 days...
** Should warn if they are in use with only 14.85 days left
** Should go critical if they are in use with only 7.38 days left
* Certificates valid for 365 days...
** Should warn if they are in use with only 60.225 days left
** Should go critical if they are in use with only 29.93 days left

This means normal certificates are left at around 60/30 days to respond, and
if Let's Encrypt breaks we have around 7-14 days to deal with it before users
notice.

Bug: T144293
Change-Id: I143c1da4a23ea94d98ebd886bc807c1eb7207179
---
M modules/nagios_common/files/check_commands/check_ssl
M modules/nagios_common/files/check_commands/check_ssl.cfg
M modules/nagios_common/files/check_commands/check_sslxNN
3 files changed, 11 insertions(+), 8 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/03/309203/1

diff --git a/modules/nagios_common/files/check_commands/check_ssl 
b/modules/nagios_common/files/check_commands/check_ssl
index d1cb6e1..8983958 100755
--- a/modules/nagios_common/files/check_commands/check_ssl
+++ b/modules/nagios_common/files/check_commands/check_ssl
@@ -9,7 +9,7 @@
 #
 # Example usage:
 #   check_ssl -H test.example.org -p 443
-#   check_ssl -H text-lb.wikimedia.org -p 443 --cn en.wikipedia.org --warning 
30 --critical 60 --issuer GlobalSign
+#   check_ssl -H text-lb.wikimedia.org -p 443 --cn en.wikipedia.org --warning 
0.835 --critical 0.918 --issuer GlobalSign
 
 package Local::CheckSSL;
 
@@ -218,16 +218,19 @@
     my $expiry = strftime( '%Y-%m-%d %H:%M:%S +0000', gmtime($notAfter) );
     $expiry .= ' (expires in ' . int( ( $notAfter - $now ) / 86400 ) . ' 
days)';
 
+    $duration = $notAfter - $notBefore;
+    $elapsed = $now - $notBefore;
+
     if ( $notBefore > $now ) {
         push @crit, "Certificate $name not yet valid";
     }
     elsif ( $notAfter < $now ) {
         push @crit, "Certificate $name expired";
     }
-    elsif ( $notAfter - $now < $ng->critical * 86400 ) {
+    elsif ( $elapsed / $duration > $ng->critical ) {
         push @crit, "Certificate $name valid until $expiry";
     }
-    elsif ( $notAfter - $now < $ng->warning * 86400 ) {
+    elsif ( $elapsed / $duration > $ng->warning ) {
         push @warn, "Certificate $name valid until $expiry";
     }
     else {
diff --git a/modules/nagios_common/files/check_commands/check_ssl.cfg 
b/modules/nagios_common/files/check_commands/check_ssl.cfg
index 519a97e..40c3cf1 100644
--- a/modules/nagios_common/files/check_commands/check_ssl.cfg
+++ b/modules/nagios_common/files/check_commands/check_ssl.cfg
@@ -1,22 +1,22 @@
 # Verify a SSL certificate is valid and not going to expire
 define command{
     command_name    check_ssl_http
-    command_line    $USER1$/check_ssl --warning 60 --critical 30 -H 
$HOSTADDRESS$ -p 443 --cn $ARG1$
+    command_line    $USER1$/check_ssl --warning 0.835 --critical 0.918 -H 
$HOSTADDRESS$ -p 443 --cn $ARG1$
 }
 
 define command{
     command_name    check_ssl_http_on_port
-    command_line    $USER1$/check_ssl --warning 60 --critical 30 -H 
$HOSTADDRESS$ --cn $ARG1$ -p $ARG2$
+    command_line    $USER1$/check_ssl --warning 0.835 --critical 0.918 -H 
$HOSTADDRESS$ --cn $ARG1$ -p $ARG2$
 }
 
 define command{
     command_name    check_ssl_http_on_host_port
-    command_line    $USER1$/check_ssl --warning 60 --critical 30 --cn $ARG1$ 
-H $ARG2$ -p $ARG3$
+    command_line    $USER1$/check_ssl --warning 0.835 --critical 0.918 --cn 
$ARG1$ -H $ARG2$ -p $ARG3$
 }
 
 # check SSL certs on LDAP servers
 define command{
     command_name    check_ssl_ldap
-    command_line    $USER1$/check_ssl --warning 60 --critical 30 -H 
$HOSTADDRESS$ -p 636 --cn $ARG1$
+    command_line    $USER1$/check_ssl --warning 0.835 --critical 0.918 -H 
$HOSTADDRESS$ -p 636 --cn $ARG1$
 }
 
diff --git a/modules/nagios_common/files/check_commands/check_sslxNN 
b/modules/nagios_common/files/check_commands/check_sslxNN
index bc834ba..a45f7d4 100755
--- a/modules/nagios_common/files/check_commands/check_sslxNN
+++ b/modules/nagios_common/files/check_commands/check_sslxNN
@@ -9,7 +9,7 @@
 #
 # Example usage:
 #   check_sslxNN -H text-lb.wikimedia.org -p 443 --issuer GlobalSign
-#   check_sslxNN -H cp1036.eqiad.wmnet -p 443 --warning 30 --critical 60
+#   check_sslxNN -H cp1036.eqiad.wmnet -p 443 --warning 0.835 --critical 0.918
 
 package Local::CheckSSL::xNN;
 

-- 
To view, visit https://gerrit.wikimedia.org/r/309203
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I143c1da4a23ea94d98ebd886bc807c1eb7207179
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Alex Monk <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to