SSL certificate monitoring
SSL certificate monitoring
Hi Team,
OS version : Centos 8
Nagios XI version: 5.7.1
We want to monitor SSL certificate for our routers. Below is the information:
this is our config
ip http access-class 10
ip http secure-server
ip http secure-trustpoint cginfra-CA
We have to monitor the certificate name on router cginfra-CA
certificate name "cginfra-CA"
Router IP: 10.1.210.248
[root@HO1-NAGIOSXI libexec]# ./check_http --version
check_http v2.3.3 (nagios-plugins 2.3.3)
It is working fine when we try to monitor our Nagios certificate.
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.0.220 -p 443 -C 10
SSL OK - Certificate '10.1.0.220' will expire in 3619 days on 2030-06-12 13:50 +0400/+04.
[root@HO1-NAGIOSXI libexec]#
When we are trying to monitor SSL certificate for router, we are getting below error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10
CRITICAL - Cannot make SSL connection.
140630604601152:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
I tried to google about this error and found few Nagios Topics as well, but I could not see any of them resolved.
Please help us on the same.
OS version : Centos 8
Nagios XI version: 5.7.1
We want to monitor SSL certificate for our routers. Below is the information:
this is our config
ip http access-class 10
ip http secure-server
ip http secure-trustpoint cginfra-CA
We have to monitor the certificate name on router cginfra-CA
certificate name "cginfra-CA"
Router IP: 10.1.210.248
[root@HO1-NAGIOSXI libexec]# ./check_http --version
check_http v2.3.3 (nagios-plugins 2.3.3)
It is working fine when we try to monitor our Nagios certificate.
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.0.220 -p 443 -C 10
SSL OK - Certificate '10.1.0.220' will expire in 3619 days on 2030-06-12 13:50 +0400/+04.
[root@HO1-NAGIOSXI libexec]#
When we are trying to monitor SSL certificate for router, we are getting below error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10
CRITICAL - Cannot make SSL connection.
140630604601152:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
I tried to google about this error and found few Nagios Topics as well, but I could not see any of them resolved.
Please help us on the same.
Thanks & Regards,
I2MP Team.
I2MP Team.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SSL certificate monitoring
Can you show what happens when you add --sni
Code: Select all
/usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni
Re: SSL certificate monitoring
SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SSL certificate monitoring
that is your solution, you can add the --sni to the arguments.rzietlow wrote:SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).
Some newer servers require this setting
Re: SSL certificate monitoring
Hello,
Still getting the same error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -p 443 -C 10 --sni
CRITICAL - Cannot make SSL connection.
140606817118016:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
Still getting the same error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -p 443 -C 10 --sni
CRITICAL - Cannot make SSL connection.
140606817118016:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
Thanks & Regards,
I2MP Team.
I2MP Team.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SSL certificate monitoring
scottwilkerson wrote:Can you show what happens when you add --sni
Code: Select all
/usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni
I thought you said you got this?rzietlow wrote:SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).
Re: SSL certificate monitoring
Hello,
Below was posted by someone else:
rzietlow wrote:
SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).
If I am using "I" for providing IP address of router, then getting below error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni
check_http: Server name indication requires that a host name is defined with -H
Usage:
check_http -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]
[-J <client certificate file>] [-K <private key>]
[-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-U] [-a auth]
[-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport>]
[-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]
[-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]
[-A string] [-k string] [-S <version>] [--sni] [--verify-host]
[-C <warn_age>[,<crit_age>]] [-T <content-type>] [-j method]
[root@HO1-NAGIOSXI libexec]#
If I am using "H" as per above output, I am getting below error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -p 443 -C 10 --sni
CRITICAL - Cannot make SSL connection.
140257455957824:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
Note: --sni is not working for me.
Below was posted by someone else:
rzietlow wrote:
SSL WARNING - Certificate '*<FOO>.com' expires in 9 day(s) (2020-07-24 07:00 -0500/CDT).
If I am using "I" for providing IP address of router, then getting below error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -I 10.1.210.248 -p 443 -C 10 --sni
check_http: Server name indication requires that a host name is defined with -H
Usage:
check_http -H <vhost> | -I <IP-address> [-u <uri>] [-p <port>]
[-J <client certificate file>] [-K <private key>]
[-w <warn time>] [-c <critical time>] [-t <timeout>] [-L] [-E] [-U] [-a auth]
[-b proxy_auth] [-f <ok|warning|critical|follow|sticky|stickyport>]
[-e <expect>] [-d string] [-s string] [-l] [-r <regex> | -R <case-insensitive regex>]
[-P string] [-m <min_pg_size>:<max_pg_size>] [-4|-6] [-N] [-M <age>]
[-A string] [-k string] [-S <version>] [--sni] [--verify-host]
[-C <warn_age>[,<crit_age>]] [-T <content-type>] [-j method]
[root@HO1-NAGIOSXI libexec]#
If I am using "H" as per above output, I am getting below error:
[root@HO1-NAGIOSXI libexec]# /usr/local/nagios/libexec/check_http -H 10.1.210.248 -p 443 -C 10 --sni
CRITICAL - Cannot make SSL connection.
140257455957824:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.cSSL alert number 40
[root@HO1-NAGIOSXI libexec]#
Note: --sni is not working for me.
Thanks & Regards,
I2MP Team.
I2MP Team.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SSL certificate monitoring
Sorry, I didn't notice that it wasn't you that posted that response..
What is the hostname that this certificate is for?
Also, what do you get when running the following?:
What is the hostname that this certificate is for?
Also, what do you get when running the following?:
Code: Select all
curl -vvv "https://10.1.210.248"
Re: SSL certificate monitoring
Hello,
Below is the hostname for 10.1.210.248 :
AE-HO1-DMVPN-GW
Below is the output of the command u gave:
[root@HO1-NAGIOSXI libexec]# curl -vvv "https://10.1.210.248"
* Rebuilt URL to: https://10.1.210.248/
* Trying 10.1.210.248...
* TCP_NODELAY set
* Connected to 10.1.210.248 (10.1.210.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[root@HO1-NAGIOSXI libexec]#
Below is the hostname for 10.1.210.248 :
AE-HO1-DMVPN-GW
Below is the output of the command u gave:
[root@HO1-NAGIOSXI libexec]# curl -vvv "https://10.1.210.248"
* Rebuilt URL to: https://10.1.210.248/
* Trying 10.1.210.248...
* TCP_NODELAY set
* Connected to 10.1.210.248 (10.1.210.248) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
[root@HO1-NAGIOSXI libexec]#
Thanks & Regards,
I2MP Team.
I2MP Team.
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: SSL certificate monitoring
I'd like you to try a couple different commands ad it appears your router doesn't support the SSL version it is trying
Code: Select all
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=1+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=2+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=3+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=1.1+
/usr/local/nagios/libexec/check_http -H 10.1.210.248 -C 10 ---ssl=1.2+