check_http and SNI SSL certificates

Written by - 4 comments

Published on - last updated on July 13th 2020 - Listed in Nagios Linux Monitoring

As probably most of you know, the Nagios plugin check_http can also be used to verify the validity (from the expiration date point of view) of a ssl certificate.

However if you use SNI (multiple SSL certificates on the same IP address), you have to keep in mind to use the --sni switch. Otherwise a wrong ssl certitificate could be shown:

./check_http -H -S -C 30,14
OK - Certificate '' will expire on 12/23/2014 13:40. 

Note the wrong certificate common name.

For SNI enabled web servers, the switch --sni is a must:

./check_http -H -S --sni -C 30,14
OK - Certificate '' will expire on 12/23/2014 13:42.

Use check_ssl_cert instead

Update July 13th, 2020: Instead of using check_http to monitor SSL/TLS certificates, one should use the monitoring plugin check_ssl_cert. It not only allows to check certificates on all kinds of protocols (ftp, smtp, imap, http, ..) but also allows additional checks such as OCSP or chain validation. See article Monitoring expiration dates of all ssl/tls certificates in the chain (intermedia and root CA) for more information.

Add a comment

Show form to leave a comment

Comments (newest first)

ck from Switzerland wrote on Jul 13th, 2020:

Hi Max. The first check did not fail because check_http only checks if the certificate is valid by looking at the validity dates. It does not check for matching the given host name. In the past year I switched to the check_ssl_cert plugin to monitor tls certificates. I updated the article accordingly.

Max from wrote on Jul 11th, 2020:

The first example should have failed.
The test1 certificate is not valid for a test2 hostname.

How can we get nagios to verify that the name in the certificate is valid for this hostname.

ck from Switzerland wrote on Oct 7th, 2014:

Kevin, your whole SNI setup wouldn't work correctly if you cannot send the Server Name... ? That's how the web server knows which certificate to deliver to the browser. Or what do you mean with "does not allow me to send the ServerName"?

Kevin from wrote on Oct 7th, 2014:

I have a single nagios server monitoring multiple load balanced apache servers. The same 3 SSL certs are on each server and only distinguished using SNI. I have to identify the host by it's IP address because of this. This --sni parameter doesn't help me in this situation as it does not allow me to send the ServerName.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Icingaweb   Icingaweb2   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder   

Update cookies preferences