check_http with -C option appears to check URL (2.2.1)
Posted: Tue Jul 18, 2017 2:11 am
With check_http in 2.2.1, compiled from source, when specifying the '-C ##' option to check a certificate expiration, it now appears to do an http request for content.
Relevant excerpt from the check_http man page:
With 2.1.4:
Gives:
On the same system, using the 2.2.1 of the plugin to run the same command:
Gives:
That HTTP OK portion shouldn't be there with the -C option specified (unless this has been changed and I missed it in the changelog? The closest I saw was the bit about not prematurely reporting success on the TLS cert validation)
Version info (source downloaded 2017-07-18):
In my specific case, access to the http content is restricted, so even though I just want to do a certificate expiration check, I'm getting a warning in nagios with the new version because of a 401 response.
IP/hostname/port redacted version of the two versions of the command I'm actually using:
(this exits with a 'warning' state, when up until 2.2.1, this would have exited with an 'OK' state which is what I expect).
And the same check (with hostname/port redacted) using the 2.1.4 version of check_http:
(exits with an 'ok' state)
Quick edit for system info: Systems tested with were running centos 6.9 x86_64 and centos 7.3.1611.
Relevant excerpt from the check_http man page:
Code: Select all
-C, --certificate=INTEGER[,INTEGER]
Minimum number of days a certificate has to be valid. Port defaults to 443
(when this option is used the URL is not checked.)
Code: Select all
check_http --ssl -C 21 -H google.com
Code: Select all
OK - Certificate '*.google.com' will expire on 2017-09-27 03:09 -0500/CDT.
Code: Select all
check_http --ssl -C 21 -H google.com
Code: Select all
SSL OK - Certificate '*.google.com' will expire on 2017-09-27 03:09 -0500/CDT. HTTP OK: HTTP/1.1 301 Moved Permanently - 615 bytes in 1.297 second response time |time=1.297264s;;;0.000000 size=615B;;;0
Version info (source downloaded 2017-07-18):
Code: Select all
./check_http --version
check_http v2.2.1 (nagios-plugins 2.2.1)
In my specific case, access to the http content is restricted, so even though I just want to do a certificate expiration check, I'm getting a warning in nagios with the new version because of a 401 response.
IP/hostname/port redacted version of the two versions of the command I'm actually using:
Code: Select all
./check_http --ssl -C 21 -I IPREDACTED -p PORTREDACTED
SSL OK - Certificate 'hostnameredacted.com' will expire on 2018-04-04 18:59 -0500/CDT. HTTP WARNING: HTTP/1.0 401 Access Denied - 40256 bytes in 0.280 second response time |time=0.279541s;;;0.000000 size=40256B;;;0
And the same check (with hostname/port redacted) using the 2.1.4 version of check_http:
Code: Select all
./check_http --ssl -C 21 -I IPREDACTED -p PORTREDACTED
OK - Certificate 'hostnameredacted.com' will expire on 2018-04-04 18:59 -0500/CDT.
Quick edit for system info: Systems tested with were running centos 6.9 x86_64 and centos 7.3.1611.