SSL certificate monitoring

[RIDS_I2MP]

Hi Team,

OS version : Centos 8
Nagios XI version: 5.7.1

We want to monitor SSL certificate for our routers. Below is the information:

this is our config
ip http access-class 10
ip http secure-server
ip http secure-trustpoint cginfra-CA

We have to monitor the certificate name on router cginfra-CA

certificate name "cginfra-CA"

Router IP: 10.1.210.248

[root@HO1-NAGIOSXI libexec]# ./check_http --version
check_http v2.3.3 (nagios-plugins 2.3.3)

It is working fine when we try to monitor our Nagios certificate.

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.0.220 -p 443 -C 10
SSL OK - Certificate '10.1.0.220' will expire in 3619 days on 2030-06-12 13:50 +0400/+04.
[root@HO1-NAGIOSXI libexec]#

When we are trying to monitor SSL certificate for router, we are getting below error:

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10
CRITICAL - Cannot make SSL connection.
140630604601152:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#

I tried to google about this error and found few Nagios Topics as well, but I could not see any of them resolved.

Please help us on the same.

[scottwilkerson]

Can you show what happens when you add --sni

Code: Select all

/usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni

[rzietlow]

SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).

[scottwilkerson]

SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).

that is your solution, you can add the --sni to the arguments.

Some newer servers require this setting

[RIDS_I2MP]

Hello,

Still getting the same error:

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -p 443 -C 10 --sni
CRITICAL - Cannot make SSL connection.
140606817118016:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40

[scottwilkerson]

Can you show what happens when you add --sni

Code: Select all

/usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni

SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).

I thought you said you got this?

[RIDS_I2MP]

Hello,

Below was posted by someone else:

rzietlow wrote:
SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).

If I am using "I" for providing IP address of router, then getting below error:

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni
check_http: Server name indication requires that a host name is defined with -H
Usage:
check_http -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]
[-J <client certificate file>] [-K <private key>]
[-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-U] [-a auth]
[-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport>]
[-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]
[-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]
[-A string] [-k string] [-S <version>] [--sni] [--verify-host]
[-C <warn_age>[,<crit_age>]] [-T <content-type>] [-j method]
[root@HO1-NAGIOSXI libexec]#



If I am using "H" as per above output, I am getting below error:

[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -p 443 -C 10 --sni
CRITICAL - Cannot make SSL connection.
140257455957824:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#


Note: --sni is not working for me.

[scottwilkerson]

Sorry, I didn't notice that it wasn't you that posted that response..

What is the hostname that this certificate is for?

Also, what do you get when running the following?:

Code: Select all

curl -vvv "https://10.1.210.248"

[RIDS_I2MP]

Hello,

Below is the hostname for 10.1.210.248 :
AE-HO1-DMVPN-GW

Below is the output of the command u gave:
[root@HO1-NAGIOSXI libexec]# curl -vvv "https://10.1.210.248"
* Rebuilt URL to: https://10.1.210.248/
* Trying 10.1.210.248...
* TCP_NODELAY set
* Connected to 10.1.210.248 (10.1.210.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[root@HO1-NAGIOSXI libexec]#

[scottwilkerson]

I'd like you to try a couple different commands ad it appears your router doesn't support the SSL version it is trying

Code: Select all

/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=1+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=2+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=3+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=1.1+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=1.2+