Re: how to test pki-realm script? Was [Re: owncloud and letsencrypt]
On 8/25/20 8:38 PM, Imre Jonk wrote:
Probably not what you wanted to hear, but I'm happily using the
DebOps Icinga
roles for this ;)
on the contrary this is really triggering (masochism?) :-D
I'm rigorously monitoring all services including all TLS
certificates that are
in use. Icinga has check_ssl_cert for this. I use it to monitor:
- Certificate chain validity
- Certificate expiration
- OCSP status
- Common name of certificate issuer (in case the certificate gets reissued by
the wrong CA)
- DANE validity
- All of the above with StartTLS-enabled services as well>
Icinga, as well as the Icinga web interface, has a steep initial learning
curve. For me it was absolutely worthwhile.
so far, every single heavily committed choice I have made has paid back
(Even DVORAK!) and I'm dreaming of a centralized and extensive
monitoring service.
Thanks a lot for this precious insight.
Dam