SSL Cert expiry monitoring for internal self signed certificates

A few years ago, Rod Ormon asked the following question in the OpenNMS Discuss mailing list:

I have been using the user-contributed monitor that checks SSL Certificates to see if they are expired - so far it works great. See:

I have only been using it to monitor externally signed certs (VeriSign, etc.) but now I have a number of servers with locally self-signed certs to check. The monitor doesn’t work for these certs.

Has anyone been using this SSLCertMonitor? Have you been able to get it to use an “insecure” connection so it can just check the cert expiry date?


I have a very similar question, and when searching, found Rods question, however, there was no response at the time, so I’m asking the question again.

How do I monitor an SSL cert for Expiry only while ignoring domain name mismatches or other issues with the certificate? My monitoring server is on the wrong side of the firewall so is testing external websites from an internal address so there is a name mismatch, or it is an internal site with a selfsigned certificate, and all I care about is the expiry date.

SSLCertMonitor uses the RelaxedX509ExtendedTrustManager (an extension on X509ExtendedTrustManager) to not do any CA validation or any SSL algorithm validation.

If you specify a value for service property server-name then it would be trying to validate names on the certificate against that. But you’d get a poller failure with Host name verification failed - certificate common name is invalid.

1 Like

Ah, yes! that has done the trick. I had:

<parameter key="server-name" value="${nodelabel}"/>

Removing that parameter has fixed it.