Category Archives: Monitoring

How to install/change SSL/TLS certificate

How to add new SSL/TLS certificate

If you need to set up HTTPS, you will need a new SSL/TLS certificate:
1. following information which is needed for certificate request (CSR):

    Country Name (2 letter code)
    State or Province Name (full name)
    Locality Name (eg, city)
    Organization Name (eg, company)
    Organizational Unit Name (eg, section)
    Common Name (e.g. server FQDN or YOUR name)
    Email Address
    you can get FQDN from your serving hostname/domain.

2. Generate a private key and certificate request:

1
openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key

3. buy certificate using generated csr.
4. Add certificate for expiration monitoring (if you have monitoring).
5. setup it to your server

How to install/change SSL/TLS certificate

1. If you received .pfx file, use the following command to decode it:

1
openssl pkcs12 -in domain.pfx -out certificate -nodes

This will write both private key and certificate in certificate file.
2. You should get about 4 files:

    domain-name.crt — X.509 certificate file
    domain-name.csr — X.509 certificate request file
    intermediate.crt — X.509 certificate file of intermediate (proxy) level
    domain-name.key — RSA private key file for certificate

3. Check that files compatible:

1
2
3
openssl rsa -noout -modulus -in cert.key
openssl req -noout -modulus -in cert.csr
openssl x509 -noout -modulus -in cert.crt

All files should have the same modulus.
4. Check dates for new certificate:

1
openssl x509 -noout -dates -in cert.crt

5. Check that domain and intermediate certificate are compatible:

1
2
openssl verify -CAfile intermediate.crt domain-name.crt
domain-name.crt: OK

If you have several intermediate certificates, put them into one intermediate.crt file.
6. Create chain certificate file:

1
cat domain-name.crt intermediate.crt > cert.crt

Remember that first certificate should be for desired domain and intermediate goes after.
7. Put cert.crt and cert.key into server's ssl folder
8. restart web-server
9. Check that certificate updated successfully:

1
openssl s_client -connect domain.name:443 2>/dev/null < /dev/null | openssl x509 -noout -dates

Checking for missing intermediate certificate

if your browser says that site is untrusted and you get the following error:

1
2
3
4
5
6
7
8
9
10
11
12
openssl s_client -connect display.intencysrv.com:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = display.intencysrv.com
verify error:num=21:unable to verify the first certificate
verify return:1
<...>

than you probably missing intermediate certificate. Find it in Google, check that it's compatible and install (see 4-5 upper). You can check remotely that downloaded intermediate certificate is compatible:

1
openssl s_client -connect domain.name:443 -CAfile ca.crt

Remember,
Apache supports bundled certificates starting from 2.4.8. If you using Apache prior this version you might get a message about a missing intermediate certificate.

Zabbix: Domain's expiration date monitoring

Put in zabbix's externalscripts/ folder following script «paid-domain.rb»:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env ruby
require 'whois'
require 'date'

domain = ARGV[0]

whs = Whois::Client.new(timeout: 30)
r = whs.lookup(domain)
expire = r.expires_on.strftime("%Y-%m-%d")
today = Time.now.strftime("%Y-%m-%d")
expire_date = DateTime.parse(expire)
today_date = DateTime.parse(today)
difference_in_days = (expire_date - today_date).to_i
puts difference_in_days

Install necessary gem:
gem install whois

Add script's description to zabbix_agent.d folder, I named config «paid-domain.conf»:
UserParameter=domain.daysleft[*],/etc/zabbix/externalscripts/paid-domain.rb «$1»

Then you have to add new item in Templates/Hosts with item's name domain.daysleft[example.com]
script will return amount of days from now to expiration date, just add triggers which will notify you.

Zabbix: pushbullet notifications

Put in zabbix's alertscripts folder following script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#!/bin/bash

WDIR='/tmp/zabbix/pushbullet'
LOG="/var/log/pushbullet.log"
mkdir -p $WDIR &>/dev/null

(
to="$1"
subject="$2"
body="$3"

if [[ -z "$to" ]]; then exit 0; fi

OID=$(echo "$body" | grep '^Original event ID: ' | awk '{print $4}')


if [[ -z $(echo "$subject" | grep '^PROBLEM') ]]; then
    # delete
    if [[ -f "$WDIR/$to-$OID" ]]; then
        ID=$(cat "$WDIR/$to-$OID")
        R=$(curl -u "$to": "https://api.pushbullet.com/v2/pushes/$ID" -X DELETE)
        echo -ne "$D Delete\nTo: $to\nSubject: $subject\nBody: $body\nOID: $OID\nResult: " >> $LOG
        echo "$R" >> $LOG
    fi
else
    # send
    D=$(date -R)
    echo -ne "$D Sending\nTo: $to\nSubject: $subject\nBody: $body\nOID: $OID\nResult: " >> $LOG
    R=$(curl -u "$to": https://api.pushbullet.com/v2/pushes -d type=note -d title="$subject" -d body="$body")
    echo "$R" >> $LOG
    ID=$(echo "$R" | grep -Po '"iden":"[^"]+"' | tr -d '"' | awk -F ':' '{print $2}')
    echo "$ID" > "$WDIR/$to-$OID"
fi

) &>/dev/null

Add it to administration->Media types
Then in Profile->Media of your user choose pushbullet and put Access token from https://www.pushbullet.com/account in «Send to» field.

That script will push new notification on trigger if the last one was activated and it removes notification from pushbullet if zabbix sent «OK».

PS: Zabbix's notification template (Configure->Actions->Triggers) should contains following string «Original event ID: {EVENT.ID}»