...
There is no Nagios plugins in any Ubuntu package that can check the status of SQL Server, but Nagios Exchange does list a number of them. They are written in various languages (Perl, Python, PHP), and they all rely on the FreeTDS, a set of libraries for Unix and Linux that allows programs to natively talk to Microsoft SQL Server and Sybase databases. And because The bad part is that this library does not support IPv6, none hence none of the mentioned plugins work work with my server .
After asking around on the FreeTDS mailing list, a guy called Peter Deacon wrote a patch that adds IPv6. I did some testing and I with Perl and after forcefully installing a newer version of DBD::Sybase I was able to successfully connect to my SQL Server using a Perl script that uses DBD::Sybase Server .
With the FreeTDS library now support IPv6 connections, I went to the Nagios Exchange and picked picked check_mssql_health, which can do rather elaborate checks on all sort of SQL Server properties.
SSL certificate expiration date
...
Connecting to SQL Server on port 1433 does not do anything, so that's a dead end. Connecting to RDP on port 3389 gives however happens with a nice TLS 1.0 handshake
Code Block | ||||
---|---|---|---|---|
| ||||
bofh@nagios:~$ gnutls-cli hayek.terena.org -p 3389 --x509cafile /etc/ssl/certs/ca-certificates.crt Processed 142 CA certificate(s). Resolving 'hayek.terena.org'... Connecting to '2001:610:148:bad:250:56ff:fe86:9:3389'... - Certificate type: X.509 - Got a certificate list of 3 certificates. - Certificate[0] info: - subject `C=NL,O=TERENA,OU=CFO,CN=hayek.terena.org', issuer `C=NL,O=TERENA,CN=TERENA SSL CA', RSA key 2048 bits, signed using RSA-SHA, activated `2013-01-23 00:00:00 UTC', expires `2016-01-23 23:59:59 UTC', SHA-1 fingerprint `513523a823b8d5c15c30a80f2772e58d826605ba' - Certificate[1] info: - subject `C=NL,O=TERENA,CN=TERENA SSL CA', issuer `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', RSA key 2048 bits, signed using RSA-SHA, activated `2009-05-18 00:00:00 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3a881764472b6441ddb3afdd47c6b8b76ee7ba1d' - Certificate[2] info: - subject `C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware', issuer `C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root', RSA key 2048 bits, signed using RSA-SHA, activated `2005-06-07 08:09:10 UTC', expires `2020-05-30 10:48:38 UTC', SHA-1 fingerprint `3d4b2a4c64317143f50258d7e6fd7d3c021a529e' - The hostname in the certificate matches 'hayek.terena.org'. - Peer's certificate is trusted - Version: TLS1.0 - Key Exchange: RSA - Cipher: AES-128-CBC - MAC: SHA1 - Compression: NULL - Handshake was completed |
...
This indicates that it possible to monitor the certificate the same way as with HTTPS web sites. I tested this and it in and this works
Concluding, this is what the monitoring looks like in the end:
...