Forum Discussion

Dev_56330's avatar
Dev_56330
Icon for Cirrus rankCirrus
Aug 15, 2014

SNMP Trap for Expired Certificates

Can anyone provide an example of the useralert.conf file displaying a trap for expired certificates on the Big IP? I have read the article below though it is still not clear to me on how to perform this function. Also, I have read several different methods for monitoring for expired or expiring SSL certificates though does anyone have a preference or recommendation?

 

http://support.f5.com/kb/en-us/solutions/public/3000/700/sol3727.html

 

  • this is mine. you may have to correct the matched message in user_alert.conf.

    sol14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x)

    http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14318.html

    sol11127: Testing SNMP traps on the BIG-IP system (9.4.x - 11.x)

    http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11127.html

    e.g.

    // config
    
    [root@ve11a:Active:In Sync] config  cat /config/user_alert.conf
    alert TEST "Certificate (.*) in file (.*) will expire on (.*)" {
       email toaddress="nitass"
       fromaddress="whatever"
       body="Help, I am going to expire."
    }
    
    // test
    
    [root@ve11a:Active:In Sync] config  logger -p local0.warn "01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT"
    [root@ve11a:Active:In Sync] config 
    
    // email
    
    -----Original Message-----
    From: root [mailto:root@ve11a.acme.local] 
    Sent: Saturday, August 16, 2014 3:36 PM
    To: Nitass
    Subject: 01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT
    
    Help, I am going to expire.
    
  • What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed.

     

    can you try this?

     

    sol13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13180.html

     

    • nitass's avatar
      nitass
      Icon for Employee rankEmployee
      based on sol13180, in 11.5.0 and later we will use tmsh command (tmsh modify sys outbound-smtp mailhub), won't we?
    • Dev_56330's avatar
      Dev_56330
      Icon for Cirrus rankCirrus
      This was indeed the last part of the configuration. My only concern with this was the fact it said "DO NOT EDIT" this file which goes against what the solution article states. None the less, I am now receiving email alerts. Thank you!
  • What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed.

     

    can you try this?

     

    sol13180: Configuring the BIG-IP system to deliver locally-generated email messages (11.x)

     

    http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13180.html

     

    • nitass_89166's avatar
      nitass_89166
      Icon for Noctilucent rankNoctilucent
      based on sol13180, in 11.5.0 and later we will use tmsh command (tmsh modify sys outbound-smtp mailhub), won't we?
    • Dev_56330's avatar
      Dev_56330
      Icon for Cirrus rankCirrus
      This was indeed the last part of the configuration. My only concern with this was the fact it said "DO NOT EDIT" this file which goes against what the solution article states. None the less, I am now receiving email alerts. Thank you!
  • this is mine. you may have to correct the matched message in user_alert.conf.

    sol14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x)

    http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14318.html

    sol11127: Testing SNMP traps on the BIG-IP system (9.4.x - 11.x)

    http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11127.html

    e.g.

    // config
    
    [root@ve11a:Active:In Sync] config  cat /config/user_alert.conf
    alert TEST "Certificate (.*) in file (.*) will expire on (.*)" {
       email toaddress="nitass"
       fromaddress="whatever"
       body="Help, I am going to expire."
    }
    
    // test
    
    [root@ve11a:Active:In Sync] config  logger -p local0.warn "01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT"
    [root@ve11a:Active:In Sync] config 
    
    // email
    
    -----Original Message-----
    From: root [mailto:root@ve11a.acme.local] 
    Sent: Saturday, August 16, 2014 3:36 PM
    To: Nitass
    Subject: 01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT
    
    Help, I am going to expire.
    
    • Dev_56330's avatar
      Dev_56330
      Icon for Cirrus rankCirrus
      Thanks. I have configured the user_alert.conf file as follows and used the provided solution article to test the SNMP trap though I am still not receiving email. What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed. I have also validated email is flowing between my internal users so exchange is not the issue in this case. Any thoughts? alert Test "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate is about to expire" } alert Test1 "Certificate (.*) in file (.*) expired on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate has expired" }
  • this is mine. you may have to correct the matched message in user_alert.conf.

    sol14318: Monitoring SSL certificate expiration on the BIG-IP system (11.x)

    http://support.f5.com/kb/en-us/solutions/public/14000/300/sol14318.html

    sol11127: Testing SNMP traps on the BIG-IP system (9.4.x - 11.x)

    http://support.f5.com/kb/en-us/solutions/public/11000/100/sol11127.html

    e.g.

    // config
    
    [root@ve11a:Active:In Sync] config  cat /config/user_alert.conf
    alert TEST "Certificate (.*) in file (.*) will expire on (.*)" {
       email toaddress="nitass"
       fromaddress="whatever"
       body="Help, I am going to expire."
    }
    
    // test
    
    [root@ve11a:Active:In Sync] config  logger -p local0.warn "01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT"
    [root@ve11a:Active:In Sync] config 
    
    // email
    
    -----Original Message-----
    From: root [mailto:root@ve11a.acme.local] 
    Sent: Saturday, August 16, 2014 3:36 PM
    To: Nitass
    Subject: 01420007:4: Certificate CN=www.com,L=Seattle,ST=WA,C=US in file /Common/site1.crt will expire on May 27 14:56:25 2014 GMT
    
    Help, I am going to expire.
    
    • Dev_56330's avatar
      Dev_56330
      Icon for Cirrus rankCirrus
      Thanks. I have configured the user_alert.conf file as follows and used the provided solution article to test the SNMP trap though I am still not receiving email. What SMTP configuration is used when sending email from the big IP? Under system configuration > Device > SMTP I have configured my exchange server though I am not sure if this is the only configuration that needs to be made or if it is even needed. I have also validated email is flowing between my internal users so exchange is not the issue in this case. Any thoughts? alert Test "Certificate (.*) in file (.*) will expire on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate is about to expire" } alert Test1 "Certificate (.*) in file (.*) expired on (.*)" { email toaddress="validemailaddress@lab.com" fromaddress="anything@lab.com" body="A certificate has expired" }
  • "tmsh run sys crypto check-cert verbose enabled stdout enabled" will show you the certificate states

    Example alert.conf entries:

    * from gtmd/big3d  (CR87209)
     */
    alert BIGIP_GTMD_GTMD_SSL_CERT_EXPIRED {
            snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.83";
    }
    alert BIGIP_GTMD_GTMD_SSL_CERT_WILL_EXPIRE {
            snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.84";
            email toaddress="anyone@anywhere.com"
            fromaddress="root"
            body="A certificate is about to expire"
    }
    alert BIGIP_BIG3D_BIG3D_SSL_CERT_EXPIRED {
            snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.81";
    }
    alert BIGIP_BIG3D_BIG3D_SSL_CERT_WILL_EXPIRE {
            snmptrap OID=".1.3.6.1.4.1.3375.2.4.0.82";
    }