document SSL certificate expiration check

2024-11-12 13:25:19 +01:00
parent 5e98f6ac5d
commit 19cfe5fd81
1 changed files with 36 additions and 0 deletions
@@ -166,3 +166,39 @@ Note that you can reset this check after dealing with it by executing on the nod
 ```
 dmesg --clear
 ```
+
+## Extra Checks
+
+### TLS/SSL Certificate Expiration
+
+To monitor the expiration of one or more certificates you need to give the node in Hiera the additional server role `ssl-cert` (except for `role::jupyterserver`):
+
+```
+icinga2::additional_server_role:
+  - 'ssl-cert'
+```
+
+Then list what certificate files you want to have checked:
+
+```
+icinga2::service_check::customize:
+  'TLS/SSL Certificate Expiration':
+    ssl_cert_files:
+      - '/etc/xrdp/cert.pem'
+      - '/etc/httpd/ssl/node.crt'
+```
+
+Beside the file list you may set the warning time in days with the attribute `ssl_cert_warning` (`7` by default) and the critical time with the attribute `ssl_cert_critical` (3 by default).
+
+If you run your own PKI, you might also check a CA certificate for expiration with
+
+```
+icinga2::additional_server_role:
+  - 'ca-cert'
+
+icinga2::service_check::customize:
+  'CA Certificate Expiration':
+    ssl_cert_files:
+      - '/etc/my_pki/ca.pem'
+```
+Here the warning is below 180 days and below 30 days is critical by default.