VMwareVMware vRealize (Aria)

Monitoring SSL Certificates with VMware vROps / Aria Operations 8.x

Over 2 years ago I posted a how-to guide on how you can Monitor your SSL Certificate Expiry dates with vROps. With the new versions of vROps since then and the launch of VMware’s Aria Operations, a few things have changed so I am posting this new guide to reflect the newer version of the solution.

There are a few steps to get this to all work. You can read through this guide in order or use the links in the contents section (above) to skip out sections you already have working.

Deploy a vROps Cloud Proxy and connect to your vROps cluster

The vROps proxy allows you to connect many thousands of VMs to vROps via this middle-layer. This is necessary for scalability purposes by limiting the number of direct connections to the vROps cluster. As you can imagine, there is also a security benefit of deploying and using a vROps Cloud Proxy.

If you already have a suitably located Cloud Proxy setup in vROps, you can skip this step.

Deploy a vROps Cloud Proxy

From within the vROps User Interface, navigate to Data Sources > Cloud Proxies

Select New

Deployment is as simple as following the on-screen instructions.

Preferably, use the copy option next to the Download Cloud Proxy OVA button and deploy the new OVA from within the vCenter server by using this URL. This will save you the time to download and re-upload to vCenter Server later.

Power on the Cloud Proxy

After you have deployed the OVA (Specifying the required information such as network information and the OTK (See above screenshot) then power on the appliance from vCenter Server.

I like to watch the VM console while the Cloud Proxy is powering on, once ready it will look like the following:

Check the Cloud Proxy is connected to vROps

After the Cloud PRoxy is deployed, within vROps navigate back to Data Sources > Cloud Proxies and you should see the new Cloud Proxy listed on the page. It usually takes 5 minutes to show up in the vROps UI.

Before continuing ensure the Cloud Proxy status is “Online”

Deploy the Telegraf agent on a Management VM

We now need somewhere for the SSL checks to run from. Ideally, this would be a Windows VM that is listed within your vROps environment. I’m calling this the Management System. This system will need to be able to communicate to the webservers you wish to monitor the SSL certificates for.

Install Telegraf onto a Virtual Management Machine (VM)

If your management system VM is monitored by vROps via the vCenter Server adapter, then you can automatically deploy, upgrade and manage the entire lifecycle of the agent directly from the vROps UI.

To do this, navigate to Environment > Applications > Manage Telegraf Agents

Select the VM to deploy the Telegraf agent onto.

Then select the three dots (…) to select the Install option

Select the correct Cloud Proxy in the next window and Done.

Provide Telegraf Agent Credentials

We now need to select or provide credentials for the agent installation

Since we are only installing one agent we can just choose to enter the virtual machine credentials.

You are now presented with some information about the credentials.

In this lab I will be installing the Telegraf agent onto a Windows machine with an administrator user account, UAC being already disabled but you should follow the guidelines accordingly for your environment and specific circumstances and security policies.

So for my lab environment, all I need to do is download the file and add my administrator account user and password towards the end of the line, under the correct heading:

You’ll notice that the VM Resource ID and other details are already pre-populated.

  • Save the file and go back to the UI to upload it.
  • Permanently delete the CSV file.
  • Select Install Agent in the UI.

After a few moments and a refresh of the vROps UI, you will see the Last operation status of the agent change to Install in Progress. Wait for it to complete.

And complete:

Copy the PowerShell script to the Management system

Once the Agent is installed, copy the provided PowerShell script to the system, I have copied it into C:\Scripts\vrops-ssl-check.ps1

Add-Type @"
	using System.Net;
	using System.Security.Cryptography.X509Certificates;
	public class TrustAllCertsPolicy : ICertificatePolicy {
		public bool CheckValidationResult(
		ServicePoint srvPoint, X509Certificate certificate,
		WebRequest request, int certificateProblem) {
			return true;
		}
	}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Ssl3, [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12
$Website = $args[0]

try {
	$WebRequest = [Net.HttpwebRequest]::Create($Website)
	$WebRequest.Timeout = 5000
	$WebRequest.GetResponse() | Out-Null
	$SSLCertificateExpirationDateString = $WebRequest.ServicePoint.Certificate.GetExpirationDateString()
	$SSLCertificateDateTime = [Datetime]::ParseExact($SSLCertificateExpirationDateString, "dd/MM/yyyy HH:mm:ss", $null)
	$SSLCertificateDaysRemaining = ($SSLCertificateDateTime - $(Get-Date)).Days
	
	Write-Host $SSLCertificateDaysRemaining
}

catch {
	Write-Host "ERROR|$error"
}

Test the script is working

Open a PowerShell terminal on the Management System VM

Try the following:

  • C:\Scripts\vrops-ssl-check.ps1 https://virtualg.uk 443
  • Change the FQDN and Port as necessary

The script should return the number of days left before the SSL certificate expires:

In my case, the number 83 is returned. We can confirm this by looking at the SSL certificate of the website:

A quick check via an online “Days until” calculator suggests the number of days until 13th January 2023 (when the certificate expires) is 83 days, so the script is working correctly.

Setup the Custom Script

Back in the vROps UI, Open Applications > Manage Telegraf Agents

Locate your Management System and select the dropdown icon to the left of the VM Name

Select the three dots (…) next to Custom Script and press Add.

On the pane on the right of the page, enter the following details:

  • Display Name SSL Check virtualg.uk
    • For the Display Name (I suggest you use the FQDN of the domain you wish to monitor the SSL certificate expiry for here)
  • File Path C:\Scripts\vrops-ssl-check.ps1
  • Prefix powershell
  • Args https://virtualg.uk 443
    • For the Args, the first arg should be the address of the web server with the SSL cert to monitor and the second should the SSL port, ie 443
  • Timeout 1 minute

Save the Custom Script

Add additional scripts, one per webserver to monitor

Test the script is working in vROps

Within the vROps UI, navigate to Environment> Object Browser > All Objects > VMware vRealize Application Management Pack > Custom Script > and select “Custom Script on (Your VM name here)

This will open up a summary tab:

Select the Metrics Tab on the top

Expand Metrics > Scripts > SSL Check virtualg.uk on (Your VM Name) or equivilent

Now you can see the number of days until expiry for the corresponding SSL certificate in a standard metric picker.

If your Custom Script is not showing, wait 5 minutes and try again.

With this data now in vROps, you can create Symptoms, Alerts, Views, Metrics, and Reports based on this metric. You could of course modify the script to output different data but be aware that each script can only output one metric value. You can create multiple scripts and add them as Custom Scripts against your Management System to bring them into vROps.

Don’t forget that for each website you wish to monitor, you’ll need to create a new Custom Script entry against the VM. Recall that you do this under Environment > Applications > Manage Telegraf Agents > Select the dropdown next to the VM with the agent installed, then the three dots next to Custom Script and Add.

Installing the vROps SSL Dashboard

Download the Dashboard I created over at the official VMware Developer Portal (No login required to download) https://developer.vmware.com/web/dp/samples?id=8001

Navigate to Visualize > Dashboards within the vROps UI

Select Manage > (three dots) > Import

Upload the Dashboard JSON file which we downloaded earlier

Open the new dashboard with the name SSL Certificate Expiry Dashboard

Action > Edit

You can delete the Instructions Widget at the top of the page

On the SSL Certificates Widget, select the pencil to edit it

Under Scoreboard > Configuration change Self Provider to On

Under Input Data select Metrics Then the plus + icon

Use the search on the left side for “Custom Script” and select the correct Management System from earlier:

Now on the right side expand Metrics > Scripts

Select all the scripts to show on the dashboard. You can use the CTRL key to select more than one.

Save the dashboard, or make further cosmetic changes to the scoreboard widget as required (For example changing the values to Yellow, Orange, or Red depending on the number of days until SSL certificate expiry)

You can also add a link for each SSL certificate check to go to the appropriate site by clicking the metric in the dashboard.

Save the Dashboard

Now you have a simple way to monitor your SSL Certificate expiry dates. Remember you can also make Symptoms, Alerts, and Reports based on this data.

Feedback

If you found this guide useful, consider subscribing to my mailing list or following me on Twitter @Virtualg_UK for more useful guides and updates.

You can use those platforms to contact me about any issues or suggestions for this guide.

I also upload various VMware-related content on YouTube.

author avatar
Graham
Graham works closely with VMware & Microsoft solutions. He is a VMware Certified Implementation Expert, 8x VMware vExpert & a VMware User Moderator on the official VMware VMTN forums. Feel free to reach out via Twitter @VirtualG.uk or email: contact@virtualg.uk

Leave a Response

This site uses Akismet to reduce spam. Learn how your comment data is processed.