Skip to content

Scanning

The Icinga Certificate Monitoring provides CLI commands to scan hosts and IPs in various ways. These commands are listed below and can be used individually. It is necessary for all commands to know which IP address ranges and ports to scan. These can be configured as described here.

Scan Command

The scan command, scans targets to find their X.509 certificates and track changes to them. A target is an IP-port combination that is generated from the job configuration, taking into account configured SNI maps, so that targets with multiple certificates are also properly scanned.

By default, successive calls to the scan command perform partial scans, checking both targets not yet scanned and targets whose scan is older than 24 hours, to ensure that all targets are rescanned over time and new certificates are collected. This behavior can be customized through the command options.

Note

When rescanning due targets, they will be rescanned regardless of whether the target previously provided a certificate or not, to collect new certificates, track changed certificates, and remove decommissioned certificates.

Usage

This scan command can be used like any other Icinga Web cli operations like this: icingacli x509 scan [OPTIONS]

Options:

--job=<name>                Scan targets that belong to the specified job. (Required)
--since-last-scan=<time>    Scan targets whose last scan is older than the spcified date/time, which can also be an
                            English textual datetime description like "2 days". Defaults to "-24 hours".
--rescan                    Rescn only targets that have been scanned before.
--full                      (Re)scan all known and unknown targets. This will override the "rescan" and "since-last-scan" options.
--parallel=<number>         Allow parallel scanning of targets up to the specified number. Defaults to 256.
                            May cause **too many open files** error if set to a number higher than the configured one (ulimit).

Example

Scan all targets that have not yet been scanned, or whose last scan is older than a certain date/time:

# icingacli x509 scan --job <name> --since-last-scan '3 days'

Scan only unknown targets:

# icingacli x509 scan --job <name> --since-last-scan=null

Scan only known targets:

# icingacli x509 scan --job <name> --rescan

Scan only known targets whose last scan is older than certain a given date/time:

# icingacli x509 scan --job <name> --rescan --since-last-scan '5 days'

Scan all known and unknown targets:

# icingacli x509 scan --job <name> --full

Scheduling Jobs

The jobs command is similar to the scan command, but it additionally allows you to schedule your jobs in a more convenient way. This is used by the default systemd service of this module as well. By default, this command will run all your configured jobs based on their frequency. This behaviour can be customized through the command options too. Since you can have multiple schedules for a single job, all job schedules can also be scheduled individually.

Usage

This scan command can be used like any other Icinga Web cli operations like this: icingacli x509 jobs run [OPTIONS

Options:

--job=<name>            Run all configured schedules only of the specified job.
--schedule=<name>       Run only the given schedule of the specified job.
                        Providing a schedule name without a job will fail immediately.
--parallel=<number>     Allow parallel scanning of targets up to the specified number. Defaults to 256.
                        May cause **too many open files** error if set to a number higher than the configured one (ulimit).