Automated SSL Labs testing with Opsview

In this blog I will cover how you can use a Nagios plugin to automatically test your websites SSL security strength on a daily basis, and alert you when it drops below a certain score – thus increasing the likelihood of a security breach.

Firstly, download the check_ssl_cert plugin from the link here and copy it to your Opsview Monitor system. Once copied, extract the .tar.gz file, and copy the plugin to the libexec directory as below:

tar -zxvf check_ssl_cert-1.37.0.tar.gz
cd check_ssl_cert-1.37.0
cp check_ssl_cert /usr/local/nagios/libexec/
chown nagios:nagios /usr/local/nagios/libexec/check_ssl_cert
chmod +x /usr/local/nagios/libexec/check_ssl_cert

We’ve also set the correct owner and permissions.

Next, lets test it out:

root@opsview:/tmp# ./check_ssl_cert -H test.ehertz.uk -L A
SSL_CERT OK - X.509 certificate for 'test.ehertz.uk' from 'Let's Encrypt Authority X3' valid until May 21 13:56:00 2017 GMT (expires in 87 days), SSL Labs grade: A+|days=87;;;;

Note: If you get a failure here, you may need to allow SSLLabs.com subnet HTTPS-access to your website. I use ipset to allow GB-based IP ranges only, so i needed to do this step. You can get the up-to-date IP range from the Qualys page here, or you can lazily copy and amend my iptables rule below:

iptables -I f2b-owncloud 4 -p tcp -s 64.41.200.0/24 -d 192.168.0.55/32 --dport 443 -j ACCEPT -m comment --comment "SSL Labs testing"

Obviously change ‘f2b-owncloud’ to the relevant chain on the web server we’re testing, i.e. ‘INPUT’ if your just using a single chain.

Next, we need to modify Opsview a little. As this is quite an intense operation (SSLLabs.com tests can take 2-3 minutes sometimes), we will hit the 60 seconds timeout set by default in Opsview. We can modify this to allow our new service check to have more time to complete by editing /usr/local/nagios/etc/opsview.conf and adding the following at the bottom of the file:

"$overrides = <<'EOF';
nagios_service_check_timeout=300
EOF"

If you dont modify this variable, you will see the following with Opsview / Nagios: “(Service check timed out after 60.00 seconds)”. So do it!

Next, you can go ahead and add the service check into Opsview. It is very simple, just choose the check_ssl_cert plugin and use the parameters “-H $HOSTADDRESS$ -L A –ignore-ssl-labs-cache”. That way, for every new host (i.e. websiteA.company.com) you add this service check to, it will have an SSLLabs.com scan performed against it – and if the grade returned falls below ‘A’, you will be alerted. Neat eh?

Now if we put this all together, you should see the following screens:

SSLLabs.com results view

Opsview results view (within a Hashtag)

Now because I am both benevolent and kind, I have created a helpful Opspack for this entire journey, entitled ‘Application – HTTPS’. Simply download it from the link below, and navigate to ‘Settings > Host Templates’ within Opsview Monitor 5.2 and above, and click ‘Import Opspack’, as below:

DOWNLOAD LINK FOR ‘APPLICATION – HTTPS’. 

Once you have imported the opspack successfully and can see ‘Application – HTTPS’ within the list of host templates, simply add a new host, enter your website address in the hostname field (i.e. test.ehertz.uk), apply the host template and reload Opsview (the yellow tile within the menu). I have also included a variable called %SSLOPTIONS%, which you can modify the 1st argument of globally to add other plugin options – or modify on a host by host basis using the similar approach.  By default the service check should run once a day – i dont personally see why you would want to run it any more regularly.

Finally – If you see timeouts, then shame on you for not reading this article properly!

Enjoy, and thanks to Matteo Corti for an awesome script.