Forum Discussion
SNMP Trap for Expired Certificates
Can anyone provide an example of the useralert.conf file displaying a trap for expired certificates on the Big IP? I have read the article below though it is still not clear to me on how to perform this function. Also, I have read several different methods for monitoring for expired or expiring SSL certificates though does anyone have a preference or recommendation?
http://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html
this is mine. you may have to correct the matched message in user_alert.conf.
sol14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x)
http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14318.htmlsol11127: Testing SNMP traps on the BIG-IP system (9.4.x - 11.x)
http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11127.htmle.g.
// config [root@ve11a:Active:In Sync] config cat /config/user_alert.conf alert TEST "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="nitass" fromaddress="whatever" body="Help, I am going to expire." } // test [root@ve11a:Active:In Sync] config logger -p local0.warn "01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT" [root@ve11a:Active:In Sync] config // email -----Original Message----- From: root [mailto:root@ve11a.acme.local] Sent: Saturday, August 16, 2014 3:36 PM To: Nitass Subject: 01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT Help, I am going to expire.
- nitassEmployee
What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed.
can you try this?
sol13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x)
- nitassEmployeebased on sol13180, in 11.5.0 and later we will use tmsh command (tmsh modify sys outbound-smtp mailhub), won't we?
- Dev_56330CirrusThis was indeed the last part of the configuration. My only concern with this was the fact it said "DO NOT EDIT" this file which goes against what the solution article states. None the less, I am now receiving email alerts. Thank you!
- nitass_89166Noctilucent
What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed.
can you try this?
sol13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x)
- nitass_89166Noctilucentbased on sol13180, in 11.5.0 and later we will use tmsh command (tmsh modify sys outbound-smtp mailhub), won't we?
- Dev_56330CirrusThis was indeed the last part of the configuration. My only concern with this was the fact it said "DO NOT EDIT" this file which goes against what the solution article states. None the less, I am now receiving email alerts. Thank you!
- nitass_89166Noctilucent
this is mine. you may have to correct the matched message in user_alert.conf.
sol14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x)
http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14318.htmlsol11127: Testing SNMP traps on the BIG-IP system (9.4.x - 11.x)
http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11127.htmle.g.
// config [root@ve11a:Active:In Sync] config cat /config/user_alert.conf alert TEST "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="nitass" fromaddress="whatever" body="Help, I am going to expire." } // test [root@ve11a:Active:In Sync] config logger -p local0.warn "01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT" [root@ve11a:Active:In Sync] config // email -----Original Message----- From: root [mailto:root@ve11a.acme.local] Sent: Saturday, August 16, 2014 3:36 PM To: Nitass Subject: 01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT Help, I am going to expire.
- Dev_56330CirrusThanks. I have configured the user_alert.conf file as follows and used the provided solution article to test the SNMP trap though I am still not receiving email. What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed. I have also validated email is flowing between my internal users so exchange is not the issue in this case. Any thoughts? alert Test "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate is about to expire" } alert Test1 "Certificate (.*) in file (.*) expired on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate has expired" }
- nitassEmployee
this is mine. you may have to correct the matched message in user_alert.conf.
sol14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x)
http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14318.htmlsol11127: Testing SNMP traps on the BIG-IP system (9.4.x - 11.x)
http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11127.htmle.g.
// config [root@ve11a:Active:In Sync] config cat /config/user_alert.conf alert TEST "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="nitass" fromaddress="whatever" body="Help, I am going to expire." } // test [root@ve11a:Active:In Sync] config logger -p local0.warn "01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT" [root@ve11a:Active:In Sync] config // email -----Original Message----- From: root [mailto:root@ve11a.acme.local] Sent: Saturday, August 16, 2014 3:36 PM To: Nitass Subject: 01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT Help, I am going to expire.
- Dev_56330CirrusThanks. I have configured the user_alert.conf file as follows and used the provided solution article to test the SNMP trap though I am still not receiving email. What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed. I have also validated email is flowing between my internal users so exchange is not the issue in this case. Any thoughts? alert Test "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate is about to expire" } alert Test1 "Certificate (.*) in file (.*) expired on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate has expired" }
- PeteWhiteEmployee
"tmsh run sys crypto check-cert verbose enabled stdout enabled" will show you the certificate states
Example alert.conf entries:
* from gtmd/big3d (CR87209) */ alert BIGIP_GTMD_GTMD_SSL_CERT_EXPIRED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.83"; } alert BIGIP_GTMD_GTMD_SSL_CERT_WILL_EXPIRE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.84"; email toaddress="anyone@anywhere.com" fromaddress="root" body="A certificate is about to expire" } alert BIGIP_BIG3D_BIG3D_SSL_CERT_EXPIRED { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.81"; } alert BIGIP_BIG3D_BIG3D_SSL_CERT_WILL_EXPIRE { snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.82"; }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com