monit:监控证书

Question

我目前正在尝试监视我的系统证书，以确保在到期前30天收到警报。作为一个例子，我以google.com为例，并监控它的证书。看一下monitrc文件，我添加了以下内容：

check host google.com with address google.com
            if failed
                    port 443
                    protocol https
                    with ssl options {verify: enable}
                    certificate valid > 1095 days
            then alert

当我重新启动monit时，我收到错误消息，没有名为google.com的服务

Answer 1

当设置新的monit配置或更改/编辑当前配置时，应首先重新加载，以确保monit重新初始化守护进程

重现问题

# Edit monit config
root@home:~# vim /etc/monit/conf-enabled/test

# Restart right way will fail
root@home:~# monit restart all
There is no service named "google.com"

# Logs
[CEST Sep 12 19:16:29] info     : 'home' trying to restart
[CEST Sep 12 19:16:29] info     : 'home' restart action done
[CEST Sep 12 19:17:09] info     : 'home' restart on user request
[CEST Sep 12 19:17:09] error    : HttpRequest: error -- client [::1]: HTTP/1.0 400 There is no service named "google.com"
[CEST Sep 12 19:17:09] error    : There is no service named "google.com"

解决方案

# Edit monit config
root@home:~# vim /etc/monit/conf-enabled/test

# Reload to reinitialize monit
root@home:~# monit reload
Reinitializing monit daemon

root@home:~# monit status
Monit 5.25.2 uptime: 24m

Remote Host 'google.com'
  status                       OK
  monitoring status            Monitored
  monitoring mode              active
  on reboot                    start
  port response time           878.069 ms to google.com:443 type TCP/IP using TLS (certificate valid for 69 days) protocol HTTP
  data collected               Thu, 12 Sep 2019 19:24:06

Answer 2

您还可以使用Overseer等软件运行定期测试，并使用Notify17通知模板接收通知(请参阅示例recipe)。

您可以使用如下测试规则：

https://myurl.com/path must run https

或

https://myurl.com/path must run ssl

这些规则评估网站是否可以通过SSL访问，以及证书是否即将过期(您可以在source code中看到更多选项)。

附言:为了有一个简单的监督者入门，你可以查看Kubernetes deployment example。