Invoke-IcingaCheckCertificate Thresholds makes no sence #446
Description
from description:
######################################
Invoke-IcingaCheckCertificate
Description
Check whether a certificate is still trusted and when it runs out or starts.
Invoke-IcingaCheckCertificate returns either 'OK', 'WARNING' or 'CRITICAL', based on the thresholds set. e.g a certificate will run out in 30 days, WARNING is set to '20d:', CRITICAL is set to '50d:'. In this case the check will return 'WARNING'.
######################################
The Problem with the Example
There are two issues with the example:
Incorrect Thresholds: The CRITICAL threshold (50 days) is a longer time period than the WARNING threshold (20 days). Logically, a warning should trigger before a critical alert. The critical state should represent a more urgent condition (i.e., less time remaining).
Incorrect Result: Given the thresholds you set, a certificate expiring in 30 days should return CRITICAL, not WARNING. This is because 30 days is less than the 50-day critical threshold. Monitoring checks evaluate the most severe state that matches.
Also it is not possible to make a Warning greater the a Critical-->
Certificates: 1 Unknown Certificate 'SAZU001ADM' at SAZU001ADM.crt (valid until 2025-11-23 : 164d) valid for (All must be )
_ Certificate 'SAZU001ADM' at SAZU001ADM.crt (valid until 2025-11-23 : 164d) valid for: Warning threshold range "2592000" is greater than Critical threshold range "864000"