how to find or check details of ssl options or other options in monit

Question

Sorry all,

where do you think i can find / read the details of options available / allow in monit, i tried to check expired of crt file ssl certificate by using below method

check host site with address example.com
    start program = "/bin/true"
    stop program = "/bin/true"
    if failed
     port 443
     protocol https
     ssl options {
      verify: enable
      ca-directory: /etc/ssl/example.com/
#      ca-file: /etc/ssl/example.com/example.com.crt
      check-expiry: 30 days
    }
    then alert

above config output the error related with ca-directory / ca-file (tried switch between its) does it mean it not allowed / not available to put that in ssl options ? before try above method i only use this config, its not show any error but not work as i expected as it not check the crt file i use for ssl

check host site with address example.com
    start program = "/bin/true"
    stop program = "/bin/true"
    if failed
     port 443
     protocol https
     ssl options {
      verify: enable
    }
    certificate valid > 30 days
    then alert

Aside from ssl options i also want to find out more what kind of details option monit available from the doc link https://mmonit.com/monit/documentation/monit.html kinda not completed IMHO

feel free to cmiiw and many thanks

i tried with my config and read from doc links above

Answer 1

My default check to include SSL-Cert check is

check host FooBar with address www.example.com
    if failed ping for 5 times within 10 cycle then alert
    if failed port 443 protocol https with ssl options {verify: enable}
        ssl certificate valid 5 days then alert

That sends out an alert if the ping fails for 5 cycles (minutes for me) in a 10-cycle-timeframe. The second if defines an alert to be sent if the cert is due in <= 5 days.

This config checks a remote certificate of a website. If you want to check a local cert, you cannot use check host, because you are not in fact checking a host...

You could:

check program IsMyCertCalid path "/root/monitoring/check-cert.sh"
    if status != 0 then alert

while /root/monitoring/check-cert.sh is:

#!/bin/bash
certFilePath="/opt/acme.sh/certs/example.com/example.com.cer"
certValidityEnds="$(openssl x509 -noout -enddate -in "$certFilePath" | awk -F'=' '{ print $2 }')"
certValiditySeconds="$(date -d "$certValidityEnds" +"%s")"
now="$(date +'%s')"

printf "Certificate %s is valid until %s" "$certFilePath" "$certValidityEnds"

[ $now -gt $certValiditySeconds ] && exit 1

exit 0

Advantage is, that this also writes the validity to the program output that is visible in the web frontend. Output would be like:

Certificate /opt/acme.sh/certs/example.com/example.com.cer is valid until Dec  2 09:20:00 2023 GMT

Regarding documentation I can only recommend to read through the full document provided by tildeslash. It is very much complete, but not very well structured...