tyler.durden/icinga2
1
0
Fork 0
mirror of https://github.com/Icinga/icinga2.git synced 2025-04-08 17:05:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

itl/ssl_cert: Add --ignore-maximum-validity option (#10396)

Browse Source 
* Update web.conf - Include "--ignore-maximum-validity"

* Update 10-icinga-template-library.md

* Update 10-icinga-template-library.md

* Update 10-icinga-template-library.md
This commit is contained in:
Silas 2025-04-08 09:18:38 +02:00 committed by GitHub
parent 9ecf7714e3
commit 8ab859d828
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 41 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
doc/10-icinga-template-library.md
View File

@ -5957,42 +5957,43 @@ Custom variables passed as [command parameters](03-monitoring-basics.md#command-
Name | Description
--------------------------|--------------
ssl_cert_address | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
ssl_cert_port | **Optional.** TCP port number (default: 443).
ssl_cert_proxy | **Optional.** Proxy server to use for connecting to the host. Sets http_proxy and the s_client -proxy option.
ssl_cert_file | **Optional.** Local file path. Works only if `ssl_cert_address` is set to "localhost".
ssl_cert_warn | **Optional.** Minimum number of days a certificate has to be valid.
ssl_cert_critical | **Optional.** Minimum number of days a certificate has to be valid to issue a critical status.
ssl_cert_maximum_validity | **Optional.** Maximum number of days a certificate is allowed to be valid (default: 397)
ssl_cert_cn | **Optional.** Pattern to match the CN or AltName of the certificate.
ssl_cert_issuer | **Optional.** Pattern to match the issuer of the certificate.
ssl_cert_org | **Optional.** Pattern to match the organization of the certificate.
ssl_cert_email | **Optional.** Pattern to match the email address contained in the certificate.
ssl_cert_serial | **Optional.** Pattern to match the serial number.
ssl_cert_noauth | **Optional.** Ignore authority warnings (expiration only)
ssl_cert_match_host | **Optional.** Match CN with the host name.
ssl_cert_selfsigned | **Optional.** Allow self-signed certificate.
ssl_cert_sni | **Optional.** Sets the TLS SNI (Server Name Indication) extension.
ssl_cert_timeout | **Optional.** Seconds before connection times out (default: 15)
ssl_cert_protocol | **Optional.** Use the specific protocol {http,smtp,pop3,imap,ftp,xmpp,irc,ldap} (default: http).
ssl_cert_http_url | **Optional.** HTTP Request URL (default: /)
ssl_cert_clientcert | **Optional.** Use client certificate to authenticate.
ssl_cert_clientpass | **Optional.** Set passphrase for client certificate.
ssl_cert_ssllabs | **Optional.** SSL Labs assessment
ssl_cert_ssllabs_nocache | **Optional.** Forces a new check by SSL Labs
ssl_cert_rootcert | **Optional.** Root certificate or directory to be used for certificate validation.
ssl_cert_ignore_signature | **Optional.** Do not check if the certificate was signed with SHA1 od MD5.
ssl_cert_ssl_version | **Optional.** Force specific SSL version out of {ssl2,ssl3,tls1,tls1_1,tls1_2}.
ssl_cert_disable_ssl_versions | **Optional.** Disable specific SSL versions out of {ssl2,ssl3,tls1,tls1_1,tls1_2}. Multiple versions can be given as array.
ssl_cert_cipher | **Optional.** Cipher selection: force {ecdsa,rsa} authentication.
ssl_cert_ignore_expiration | **Optional.** Ignore expiration date.
ssl_cert_ignore_host_cn | **Optional.** Do not complain if the CN does not match.
ssl_cert_ignore_ocsp | **Optional.** Do not check revocation with OCSP.
ssl_cert_ignore_ocsp_errors | **Optional.** Continue if the OCSP status cannot be checked.
ssl_cert_ignore_ocsp_timeout | **Optional.** Ignore OCSP result when timeout occurs while checking.
ssl_cert_ignore_sct | **Optional.** Do not check for signed certificate timestamps.
ssl_cert_ignore_tls_renegotiation | **Optional.** Do not check for renegotiation.
ssl_cert_dane | **Optional.** Verify that valid DANE records exist ({211,301,302,311,312} or empty string).
ssl_cert_address | **Optional.** The host's address. Defaults to "$address$" if the host's `address` attribute is set, "$address6$" otherwise.
ssl_cert_port | **Optional.** TCP port number (default: 443).
ssl_cert_proxy | **Optional.** Proxy server to use for connecting to the host. Sets http_proxy and the s_client -proxy option.
ssl_cert_file | **Optional.** Local file path. Works only if `ssl_cert_address` is set to "localhost".
ssl_cert_warn | **Optional.** Minimum number of days a certificate has to be valid.
ssl_cert_critical | **Optional.** Minimum number of days a certificate has to be valid to issue a critical status.
ssl_cert_maximum_validity | **Optional.** Maximum number of days a certificate is allowed to be valid (default: 397)
ssl_cert_ignore_maximum_validity | **Optional.** Ignore the certificate maximum validity
ssl_cert_cn | **Optional.** Pattern to match the CN or AltName of the certificate.
ssl_cert_issuer | **Optional.** Pattern to match the issuer of the certificate.
ssl_cert_org | **Optional.** Pattern to match the organization of the certificate.
ssl_cert_email | **Optional.** Pattern to match the email address contained in the certificate.
ssl_cert_serial | **Optional.** Pattern to match the serial number.
ssl_cert_noauth | **Optional.** Ignore authority warnings (expiration only)
ssl_cert_match_host | **Optional.** Match CN with the host name.
ssl_cert_selfsigned | **Optional.** Allow self-signed certificate.
ssl_cert_sni | **Optional.** Sets the TLS SNI (Server Name Indication) extension.
ssl_cert_timeout | **Optional.** Seconds before connection times out (default: 15)
ssl_cert_protocol | **Optional.** Use the specific protocol {http,smtp,pop3,imap,ftp,xmpp,irc,ldap} (default: http).
ssl_cert_http_url | **Optional.** HTTP Request URL (default: /)
ssl_cert_clientcert | **Optional.** Use client certificate to authenticate.
ssl_cert_clientpass | **Optional.** Set passphrase for client certificate.
ssl_cert_ssllabs | **Optional.** SSL Labs assessment
ssl_cert_ssllabs_nocache | **Optional.** Forces a new check by SSL Labs
ssl_cert_rootcert | **Optional.** Root certificate or directory to be used for certificate validation.
ssl_cert_ignore_signature | **Optional.** Do not check if the certificate was signed with SHA1 od MD5.
ssl_cert_ssl_version | **Optional.** Force specific SSL version out of {ssl2,ssl3,tls1,tls1_1,tls1_2}.
ssl_cert_disable_ssl_versions | **Optional.** Disable specific SSL versions out of {ssl2,ssl3,tls1,tls1_1,tls1_2}. Multiple versions can be given as array.
ssl_cert_cipher | **Optional.** Cipher selection: force {ecdsa,rsa} authentication.
ssl_cert_ignore_expiration | **Optional.** Ignore expiration date.
ssl_cert_ignore_host_cn | **Optional.** Do not complain if the CN does not match.
ssl_cert_ignore_ocsp | **Optional.** Do not check revocation with OCSP.
ssl_cert_ignore_ocsp_errors | **Optional.** Continue if the OCSP status cannot be checked.
ssl_cert_ignore_ocsp_timeout | **Optional.** Ignore OCSP result when timeout occurs while checking.
ssl_cert_ignore_sct | **Optional.** Do not check for signed certificate timestamps.
ssl_cert_ignore_tls_renegotiation | **Optional.** Do not check for renegotiation.
ssl_cert_dane | **Optional.** Verify that valid DANE records exist ({211,301,302,311,312} or empty string).
#### jmx4perl <a id="plugin-contrib-command-jmx4perl"></a>

4
itl/plugins-contrib.d/web.conf
View File

@ -587,6 +587,10 @@ object CheckCommand "ssl_cert" {
description = "verify that valid DANE records exist (since OpenSSL 1.1.0)"
repeat_key = false
}
"--ignore-maximum-validity" = {
description = "Ignore the certificate maximum validity"
set_if = "$ssl_cert_ignore_maximum_validity$"
}
}