SNI External Monitor for ADFS

It seems the while loop inside getscript() was looping indefinitely, which only appears to happen as part of the monitor. Here's a minor tweak:

!/bin/bash

pidfile="/var/run/$MONITOR_NAME.$1..$2.pid"

if [ -f $pidfile ]
    then
    kill -9 -`cat $pidfile` > /dev/null 2>&1
fi

echo "$$" > $pidfile

node_ip=`echo $1 |sed 's/::ffff://'`
node_port=$2

getscript () {
    echo 'GET / HTTP/1.1'
    echo 'Host: adfs.open-techs.com'
    echo ''
    sleep 1
    echo 'quit\n'
}

docurl () {
    IFS=$'\n'
    arr=($(getscript | openssl s_client -connect ${node_ip}:${node_port} -cipher 'ECDHE-RSA-AES256-SHA' -servername 'adfs.open-techs.com' 2>/dev/nul |grep -E '200 OK'))
    unset IFS
}

docurl

echo ${arr[0]}

if [ -n "${arr[0]}" ]
then
     Remove the pidfile before the script echoes anything to stdout and is killed by bigd
    rm -f $pidfile
    echo "up"
fi

 Remove the pidfile before the script ends
rm -f $pidfile

You may have to adjust the sleep statement depending on the application server's response.

Thanks Kevin. Applied new script. What shows up in /dev/nul is:

depth=1 /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4

verify error:num=20:unable to get local issuer certificate

verify return:0

read:errno=0

The best first steps to troubleshooting this script are:

1. Un-comment the "echo ${arr[0]}" statement

2. Execute this command from the command line with the required IP and port parameters:

   ./ocsp-monitor.sh 10.10.10.5 443
   

   With the echo un-commented you should see the results from the grep and optionally the "up" string.

Have you tested the openssl command directly from the command line?

openssl s_client -connect [IP:port] -cipher 'ECDHE-RSA-AES256-SHA' -servername 'adfs.open-techs.com'

OK - will do that.

I added -CApath /etc/pki/tls/certs into the openssl line, and now I get:

depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA

verify return:1

depth=1 /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA - G4

verify return:1

depth=0 /OU=GT96587017/OU=See www.geotrust.com/resources/cps (c)15/OU=Domain Control Validated - QuickSSL(R) Premium/CN=adfs.open-techs.com

verify return:1

read:errno=0

It may be worthwhile to test this manually. Execute the openssl command by itself, and if it succeeds you'll be left with an empty prompt (not the shell prompt). Type the following at that prompt to send the HTTP request:

GET /adfs/ls/idpinitiatedsignon.aspx HTTP/1.1
Host: adfs.open-techs.com
[two carriage returns]

If the SSL handshake and HTTP request were correct you should see the text of the HTTP response. This is essentially what the script is doing. By the way, I removed the "/adfs/ls/idpinitiatedsignon.aspx" URI from the GET line in the last script, so you'll probably want to re-add that. If all of that works, then it's just a matter of figuring out what you're going to be grepping for in the script.

Sorry Kevin - I don't know how to run this from the command line (./ocsp-monitor.sh 8.24.31.81 443). Tried it without the dot, without the dot and the slash. tried it from tmsh.

The new script is working. Once I put the path (/adfs/ls/idpinitiatedsignon.aspx) in, everything is good. I'm sure that it would have worked with just the default (GET /), if I had grepped for a 404 status.

Still I would like to be able to see the full output to /dev/nul. Thanks again Kevin!