You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Jun 5, 2025. It is now read-only.
Copy file name to clipboardExpand all lines: README.md
+77-1Lines changed: 77 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,4 +11,80 @@ This repository contains a PRTG Python Script Advanced sensor to monitor SSL Cer
11
11
12
12
## Sensor Description
13
13
14
-
This custom _Python Script Advanced_ sensor will monitor SSL certificates and contains channels similar to the PRTG's built-in _SSL Certificate_ sensor.
14
+
This custom _Python Script Advanced_ sensor will monitor SSL certificates that require a protocol handshake prior to reading certificate data, and exposes the collected data in channels similar to PRTG's built-in _SSL Certificate_ sensor.
15
+
16
+
As of version v0.1.0 this sensor supports the following application layer protocols:
17
+
18
+
*`SMTP`: Simple Mail Transfer Protocol, [RFC 5321](https://www.rfc-editor.org/rfc/rfc5321)
19
+
*`LMTP`: Local Mail Transfer Protocol, [RFC 2033](https://datatracker.ietf.org/doc/html/rfc2033)
The _LDAP_ protocol handshake has been tested against _Active Directory_, _OpenLDAP_, and _Sun Enterprise Directory Server_ (formerly _Netscape iPlanet Directory Server_) and is also expected to work with _RedHat DS 389_ directory server.
23
+
24
+
## Sensor Channels
25
+
26
+
The following channels are implemented:
27
+
28
+
*`Days until Expiration` - primary channel
29
+
*`Common Name Check` - with support for CN and CN/SAN validation
30
+
*`Public Key Size`
31
+
*`Root Authority Trusted`
32
+
*`Self-Signed`
33
+
34
+
All channels but the primary channel use PRTG built-in value lookup definitions.
35
+
36
+
### Common Name Check
37
+
38
+
PRTGs built-in _SSL Certificate_ sensor allows also the validate `SNI Domainname` values. Since this is in essence a check of an user-specified domain name against the _commonName_ and/or _subjectAltName_ attribute of the certificate, this sensor ommits the result values _SNI Domainname matches_ and _SNI Domainname does not match_.
39
+
40
+
If the device's network address is specified as domain name and is the same as contained in the certificate, the parameter `cert_domainname` can be omitted.
41
+
42
+
### Root Authority Trusted
43
+
44
+
This check uses the default mechanisms of the Python `ssl` module to verify the trust of the certificate. This includes the check of the chain and also that the root CA certificate is in the operating system vendor's certificate store.
45
+
46
+
One implication of this kind of validation is that it fails if the certificate chain is incorrect and also fails if the root CA certificate is not in the trust store of the system the probe is running on.
47
+
48
+
The check is skipped entirely if the installed certificate is a self-signed certificate. In this case the channel result is set to _Not trusted_.
49
+
50
+
## Sensor Parameters
51
+
52
+
The sensor expects parameters that specify application protocol, port, and certificate name validation. Without those additional parameters the sensor returns an error result.
53
+
54
+
The parameters MUST be specified in form of key-value pairs with key and value separated by a colon. Multiple key-value pairs are separated by a comma.
55
+
56
+
The parameter string MUST NOT contain quotes, braces, brackets, and parens. It also MUST NOT contain characters outside the ASCII character set, and it MUST NOT contain the + sign. Use of any of those characters and symbols will cause PRTG to excessively escape those characters, leading to a lot of backslashes in the parameter string, which this sensor DOES NOT handle well.
57
+
58
+
### Parameter `port` (int)
59
+
60
+
This parameter specifies the port the sensor should connect to.
61
+
62
+
### Parameter `protocol` (Enum)
63
+
64
+
This parameter specifies the application protocol to be used to initiate a secure connection with _STARTTLS_.
65
+
66
+
Allowed values are: `smtp`, `lmtp`, and `ldap`.
67
+
68
+
### Parameter `cert_domainname` (str)
69
+
70
+
If the device address is specified as IP address or if the device name differs from the name used in the certificate, specify the name contained in the certificate with this parameter.
71
+
72
+
### Parameter `cert_domainname_validation` (Enum)
73
+
74
+
This parameter tells the sensor if and how it should validate `commonName` and/or `subjectAltName` certificate attributes.
75
+
76
+
Allowed values:
77
+
78
+
*`None`: do not validate names
79
+
*`cn`: validate the domain name against the certificate's _commonName_ attribute
80
+
*`cn_san`: validate the domain name against the certificate's _commonName_ and _subjectAltName_ attributes. With _subjectAltName_ only values of type _DNS_ are validated.
81
+
82
+
### Examples
83
+
84
+
1. The following parameter string validates the certificate of a mail server listening on port 7025 and expecting the _LMTP_ protocol. The certificate contains multiple names in the _subjectAltName_ attribute, the device address is specified as domain name and is contained in the _subjectAltName_ attribute:
0 commit comments