This extension monitors the SSL certificates for configurable domains.

License: Apache License 2.0

Shell 1.80% Java 97.11% Batchfile 1.09%

ssl-certificate-monitoring-extension's Introduction

ssl-certificate-monitoring-extension

Use Case

This extension monitors the SSL certificates for configurable domains. This extension should be used with standalone Java Machine Agents.

Prerequisites

Before the extension is installed, the prerequisites mentioned here need to be met. Please do not proceed with the extension installation if the specified prerequisites are not met.
Please make sure that the machine has OpenSSL installed. Windows users can download it from https://www.openssl.org/related/binaries.html There is a bug in the windows openssl where in the command execution hangs. Please download Cygwin's openssl on Windows.

Installation

To build from the source, run "mvn clean install" and find the SslCertificateMonitor-VERSION.zip file in the "target" folder.
Unzip as "SslCertificateMonitor" and copy the "SslCertificateMonitor" directory to <MACHINE_AGENT_HOME>/monitors.
Edit the file config.yml located at <MachineAgent_Dir>/monitors/SslCertificateMonitor
Restart the Machine Agent.

Please place the extension in the "monitors" directory of your Machine Agent installation directory. Do not place the extension in the "extensions" directory of your Machine Agent installation directory.

Configuration

Note Please make sure to not use tab (\t) while editing yaml files. You may want to validate the yaml file using a yaml validator

Configure the domains by editing the config.yml file in <MACHINE_AGENT_HOME>/monitors/SslCertificateMonitor/.


   #This will create this metric in all the tiers, under this path
   metricPrefix:  "Custom Metrics|SslCertificate"

   #This will create it in specific Tier. Replace <TIER_ID>
   #metricPrefix: Server|Component:<TIER_ID>|Custom Metrics|SslCertificate

   domains:
     - domain: "www.google.com"
       port: 443
       displayName: "Google"

     - domain: "www.ebay.com"
       port: 443
       displayName: "eBay"

     - domain: "www.amazon.com"
       port: 443
       displayName: "amazon"

   # Point to .sh for unix based and .bat for windows.
   # Incase if you are using Cygwin's openssl, please make sure to change the openssl.bat to point to Cygwin's openssl.
   # For eg. echo | C:\Cygwin64\bin\openssl s_client -connect %1:%2 2> null | C:\Cygwin64\bin\openssl x509 -noout -enddate
   cmdFile: "monitors/SslCertificateMonitor/cmd/openssl.sh"
   #cmdFile: "monitors\\SslCertificateMonitor\\cmd\\openssl.bat"


   #### Configurations below this need not be changed.###
   # number of concurrent tasks
   numberOfThreads: 10

   #timeout for the thread
   threadTimeout: 5

Configure the path to the config.yml file by editing the in the monitor.xml file in the <MACHINE_AGENT_HOME>/monitors/SslCertificateMonitor/ directory. You can also change the frequency at which the MachineAgent calls the extension by changing the in monitor.xml. Below is the sample
```
     <task-arguments>
        
        <argument name="config-file" is-required="true" default-value="monitors/SslCertificateMonitor/config.yml" />
     </task-arguments>
```
On Windows, please specify the absolute path to the config.yml.
If needed, configure the openssl command in the cmdFile pointed by config.yml.

Metrics Provided

daysToExpiry

Extensions Workbench

Workbench is an inbuilt feature provided with each extension in order to assist you to fine tune the extension setup before you actually deploy it on the controller. Please review the following document on How to use the Extensions WorkBench.

Custom Dashboard

Troubleshooting

Please follow the steps listed in this troubleshooting-document in order to troubleshoot your issue. These are a set of common issues that customers might have faced during the installation of the extension.
Verify Machine Agent Data: Please start the Machine Agent without the extension and make sure that it reports data. Verify that the machine agent status is UP and it is reporting Hardware Metrics.
config.yml: Validate the file here.
The config cannot be null: This usually happens when on a windows machine in monitor.xml you give config.yml file path with linux file path separator /. Use Windows file path separator \ e.g. monitors\SSLMonitor\config.yml. On Windows, please specify absolute file path.
Metric Limit: Please start the machine agent with the argument -Dappdynamics.agent.maxMetrics=5000 if there is a metric limit reached error in the logs. If you don't see the expected metrics, this could be the cause.

Contributing

Always feel free to fork and contribute any changes directly here on GitHub.

Version

Name	Version
Extension Version	3.0.2
Last Update	14/12/2021

Note: While extensions are maintained and supported by customers under the open-source licensing model, they interact with agents and Controllers that are subject to AppDynamics’ maintenance and support policy. Some extensions have been tested with AppDynamics 4.5.13+ artifacts, but you are strongly recommended against using versions that are no longer supported.

ssl-certificate-monitoring-extension's People

Contributors

Stargazers

Watchers

Forkers

spitfire1900 mbqiib dagraff-appd vibhory2j

ssl-certificate-monitoring-extension's Issues

somethings wrongs on file config.yml and other error

hello i try to setup on Redhat7,
the fisrt, may be file config.yml must have information of Controller like: host, port, account
the 2nd, after i add "information of Controller", i face with error:
[Agent-Monitor-Scheduler-1] 20 Apr 2022 16:46:48,298 ERROR PeriodicTaskRunner - Error creating environment task
java.lang.NullPointerException: null
at com.appdynamics.extensions.sslcertificate.SslCertificateMonitor.doRun(SslCertificateMonitor.java:58) ~[?:?]
at com.appdynamics.extensions.AMonitorJob.run(AMonitorJob.java:50) ~[?:?]
at com.appdynamics.extensions.ABaseMonitor.executeMonitor(ABaseMonitor.java:199) ~[?:?]
at com.appdynamics.extensions.ABaseMonitor.execute(ABaseMonitor.java:187) ~[?:?]
at com.singularity.ee.agent.systemagent.components.monitormanager.managed.MonitorTaskRunner.runTask(MonitorTaskRunner.java:149) ~[machineagent.jar:Machine Agent v22.2.0-3282 GA compatible with 4.4.1.0 Build Date 2022-02-18 08:02:20]
at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.runTask(PeriodicTaskRunner.java:86) ~[machineagent.jar:Machine Agent v22.2.0-3282 GA compatible with 4.4.1.0 Build Date 2022-02-18 08:02:20]
at com.singularity.ee.agent.systemagent.components.monitormanager.managed.PeriodicTaskRunner.run(PeriodicTaskRunner.java:47) [machineagent.jar:Machine Agent v22.2.0-3282 GA compatible with 4.4.1.0 Build Date 2022-02-18 08:02:20]
at com.singularity.ee.util.javaspecific.scheduler.AgentScheduledExecutorServiceImpl$SafeRunnable.run(AgentScheduledExecutorServiceImpl.java:122) [agent-21.12.2-1071.jar:?]
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) [?:?]
at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask$Sync.innerRunAndReset(ADFutureTask.java:335) [agent-21.12.2-1071.jar:?]
at com.singularity.ee.util.javaspecific.scheduler.ADFutureTask.runAndReset(ADFutureTask.java:152) [agent-21.12.2-1071.jar:?]
at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.access$101(ADScheduledThreadPoolExecutor.java:119) [agent-21.12.2-1071.jar:?]
at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.runPeriodic(ADScheduledThreadPoolExecutor.java:206) [agent-21.12.2-1071.jar:?]
at com.singularity.ee.util.javaspecific.scheduler.ADScheduledThreadPoolExecutor$ADScheduledFutureTask.run(ADScheduledThreadPoolExecutor.java:236) [agent-21.12.2-1071.jar:?]
at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.runTask(ADThreadPoolExecutor.java:694) [agent-21.12.2-1071.jar:?]
at com.singularity.ee.util.javaspecific.scheduler.ADThreadPoolExecutor$Worker.run(ADThreadPoolExecutor.java:726) [agent-21.12.2-1071.jar:?]
at java.lang.Thread.run(Unknown Source) [?:?]

I need your help!!!

Timing printed in debug log without time units.

Add time units when printing how long it took to resolve an SSL certificate. Here is an example taken from a recent run.

[Monitor-Task-Thread4] 02 Oct 2018 11:52:49,197 DEBUG SslCertificateProcessor - Time taken for ssl certificate processor for ****** is 54

Metrics are not sent accordingly to openssl.sh output

I have configured the ssl-certificate-monitoring-extension according to the documentation.

In my configuration there are two domains configured:

domain: "domain1.com"
port: 443
displayName: "Domain 1"
domain: "domain2.com"
port: 443
displayName: "Domain 2"

In my local /etc/host both domains are referring to the same ip as they are behind a loadbalancer.
Therefore i modified the openssl.sh with the -servername option to get the right certificate accordingly to the given dns name:
echo -e "quit\n" | /usr/bin/openssl s_client -servername $1 -connect $1:$2 2>/dev/null | /usr/bin/openssl x509 -noout -enddate

When calling the script locally (./cmd/openssl.sh domain1.com 443) i retrieve the right expiration date for the certificate.
However, after starting the machine agent i get the same expiration date for "Domain 1" and "Domain 2". This only happens for one domain. Some other domains are also behind a single load balancer and there the correct expiration date is returned.

I cannot see any configuration issue and also when running the script locally, i receive the right expiration date.
Do you have any clue if the issue might be located in the extension itself or are aware of such an issue?

Queue Capacity Error due to bug

We noticed one SSLCertificate monitoring extension bug which is causing the extension to not report any statistics for the certificates which it monitors. We have around 28 certificates which we are monitoring through this extension and the numberOfThreads parameter in config file we had set to 29. The extension performs well for few days and over the time it invoked multiple processes which it doesn't close. Eventually in logs we see
ERROR MonitorExecutorServiceModule-SSLCertificateMonitor - Queue Capacity reached!! Rejecting runnable tasks..
I have attached the snap of machine agent processes which are open and this count of processes reaches to more than 60 when this error occurs

@kunalgupApDx can you please help on this.

Publish checksum to validate file integrity on community exchange

Couldn't a better way to reach out for this issue. Hope it gets addressed here. Could you please also publish the checksum for this extension monitor on https://www.appdynamics.com/community/exchange/extension/ssl-certificate-monitoring-extension/. The latest version seems to be missing it. I believe the previous version published was showing a checksum value to validate the file integrity. This is a security requirement before we can use it in our environment.

Thanks for your help.

appdynamics / ssl-certificate-monitoring-extension Goto Github PK