How to monitor client certificates in opensense?

[Roman199709]

Please tell me how to monitor, for example, Zabbix the validity period of the client certificate ?

[Patrick M. Hausen]

You need a Zabbix installation. Zabbix does not run on OPNsense. You need a dedicated Linux or FreeBSD server to run one of the common monitoring products like Zabbix, Nagios or Icinga - as I already explained to you.

Then you need to learn how to configure (via configuration files) these products so they will display the state of your certificates in their web UI.

The plugin options named e.g. Zabbix-agent are smaller pieces of software that you can run on OPNsense so a Zabbix server can monitor your OPNsense. They don't turn OPNsense into a monitoring system.

How many certificates do you have that you want to monitor?

[Roman199709]

Good day! Our company has a Zabbix server. It monitors opensense using the snmp protocol. But it doesn't track certificates by expiration date. I need to notify 10 days before the expiration date. The number of client certificates is about one hundred.

[Patrick M. Hausen]

Well, that is not really an OPNsense question, is it? You'd be much better assisted in the Zabbix forum, probably.

Google turned up this thread in seconds:
https://www.zabbix.com/forum/zabbix-help/16078-monitor-ssl-certificate-expiry

[JasMan]

I had the same request and solved it by using OPNsense monit integration.

Because the test is not availabe over the GUI you need to create a config file under /usr/local/etc/monit.opnsense.d (e.g. 01-CertValidationTest.conf)

Add the following code

Code Select Expand

check host example.tld with address example.tld
            if failed
                    port 443
                    protocol https
                    with ssl options {verify: enable}
                    certificate valid > 30 days
            then alert

After a monit restart you should see the result on the "Status" page of monit.