SSL certificate expiration check SSL-Cert-HTTPS-443 not working

Problem:
Enabled SSL-Cert-HTTPS-443 in poller-configuration.xml but no alerts are generated.

Expected outcome:
I’m expecting some sort of alerts to be generated for expired certs.

OpenNMS version:
28.1.0

Other relevant data:
poller-configuration.xml :

<service name="SSL-Cert-HTTPS-443" interval="7200000" user-defined="false" status="on">
    <parameter key="retry" value="2"/>
    <parameter key="timeout" value="3000"/>
    <parameter key="port" value="443"/>
    <parameter key="days" value="2500"/>
    <parameter key="server-name" value="$\{nodelabel}.mydomain.com"/>
</service>
...
  <monitor service="SSL-Cert-HTTPS-443" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor" />

also tried
<parameter key="server-name" value="$\{nodelabel}"/>

This is on a fresh installation of OpenNMS on CentOS 8.

What am I missing here?

According to https://wiki.opennms.org/wiki/Monitoring_SSL_certificates I should edit:

capsd-configuration.xml

and add some config for the discovery.

I don’t see this capsd-configuration.xml in /opt/opennms/etc . There is no /etc/opennms directory either.

Can you please try without the leading \ in front of the {} like this:

<parameter key="server-name" value="${nodelabel}.mydomain.com"/>

Ok, I tried:

<parameter key="server-name" value="${nodelabel}.mydomain.com"/>

But still I don’t see any alerts.

I also changed the poller-configuration.xml to:

    <!-- enable monitoring of already discovered HTTPS SSL certificates for certificate date expiration -->
    <service name="SSLCert" interval="900000" user-defined="false" status="on">
      <parameter key="retry" value="2"/>
      <parameter key="timeout" value="3000"/>
      <parameter key="port" value="443"/>
      <parameter key="days" value="21"/>
    </service>
...
  <!-- enable monitoring of already discovered HTTPS SSL certificates for certificate date expiration -->
  <monitor service="SSLCert" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor"/>

I see capsd has now been deprecated in favor of provisiond.

I also see the config for provisiond is missing in https://wiki.opennms.org/wiki/Monitoring_SSL_certificates :slight_smile:

Discovery using provisiond

  • TODO

How do I configure provisiond to check for SSL certificate expirations?

I went back to this config per https://docs.opennms.com/horizon/28.1.0/operation/service-assurance/monitors/SSLCertMonitor.html but still no joy:

<service name="SSL-Cert-HTTPS-443" interval="7200000" user-defined="false" status="on">
    <parameter key="retry" value="2"/>
    <parameter key="timeout" value="3000"/>
    <parameter key="port" value="443"/>
    <parameter key="days" value="2500"/>
    <parameter key="server-name" value="${nodelabel}.medsphere.com"/>
</service>
...
   <monitor service="SSL-Cert-HTTPS-443" class-name="org.opennms.netmgt.poller.monitors.SSLCertMonitor" />

Is this working for anyone else?

Service monitors by themselves don’t do anything. The service has to exist on a node, either from a Detector, or via Provisioning Requisition, before a service monitor will be run against it.

Add a detector to the default foreign source:
<detector name="SSL-Cert-HTTPS-443" class="org.opennms.netmgt.provision.detector.simple.HttpsDetector"/>

or via the webui:

Then rescan a / the node.

Thanks, that worked. I had to add a detector in the GUI which then created the default-foreign-source.xml file.

How does Opennms know which detectors in default-foreign-source.xml corresponds to which services in poller-configuration.xml ? Does it match them based on name?

I would like to monitor services and certificates running on ports other than 443.

It’s by name, and it’s case sensitive.