Page 1 of 1

check_http with -C option appears to check URL (2.2.1)

Posted: Tue Jul 18, 2017 2:11 am
by millisa
With check_http in 2.2.1, compiled from source, when specifying the '-C ##' option to check a certificate expiration, it now appears to do an http request for content.

Relevant excerpt from the check_http man page:

Code: Select all

 -C, --certificate=INTEGER[,INTEGER]
        Minimum number of days a certificate has to be valid. Port defaults to 443
        (when this option is used the URL is not checked.)
With 2.1.4:

Code: Select all

check_http --ssl -C 21 -H google.com
Gives:

Code: Select all

OK - Certificate '*.google.com' will expire on 2017-09-27 03:09 -0500/CDT.
On the same system, using the 2.2.1 of the plugin to run the same command:

Code: Select all

check_http --ssl -C 21 -H google.com
Gives:

Code: Select all

SSL OK - Certificate '*.google.com' will expire on 2017-09-27 03:09 -0500/CDT. HTTP OK: HTTP/1.1 301 Moved Permanently - 615 bytes in 1.297 second response time |time=1.297264s;;;0.000000 size=615B;;;0
 
That HTTP OK portion shouldn't be there with the -C option specified (unless this has been changed and I missed it in the changelog? The closest I saw was the bit about not prematurely reporting success on the TLS cert validation)

Version info (source downloaded 2017-07-18):

Code: Select all

./check_http --version
check_http v2.2.1 (nagios-plugins 2.2.1)

In my specific case, access to the http content is restricted, so even though I just want to do a certificate expiration check, I'm getting a warning in nagios with the new version because of a 401 response.

IP/hostname/port redacted version of the two versions of the command I'm actually using:

Code: Select all

./check_http --ssl -C 21 -I IPREDACTED -p PORTREDACTED
SSL OK - Certificate 'hostnameredacted.com' will expire on 2018-04-04 18:59 -0500/CDT. HTTP WARNING: HTTP/1.0 401 Access Denied - 40256 bytes in 0.280 second response time |time=0.279541s;;;0.000000 size=40256B;;;0
(this exits with a 'warning' state, when up until 2.2.1, this would have exited with an 'OK' state which is what I expect).

And the same check (with hostname/port redacted) using the 2.1.4 version of check_http:

Code: Select all

./check_http --ssl -C 21 -I IPREDACTED -p PORTREDACTED
OK - Certificate 'hostnameredacted.com' will expire on 2018-04-04 18:59 -0500/CDT.
(exits with an 'ok' state)

Quick edit for system info: Systems tested with were running centos 6.9 x86_64 and centos 7.3.1611.

Re: check_http with -C option appears to check URL (2.2.1)

Posted: Tue Jul 18, 2017 2:29 am
by millisa
And I just missed it when looking for another report on this. It looks like this is already reported in github at check_http: -C broken after update to 2.2.1 and check_http: Breaking change to -C: Certificate check should not check URL

Re: check_http with -C option appears to check URL (2.2.1)

Posted: Tue Jul 18, 2017 11:51 am
by tmcdonald
Thanks for the details! Mind if we close this since there is a report open?

Re: check_http with -C option appears to check URL (2.2.1)

Posted: Tue Jul 18, 2017 12:01 pm
by millisa
Go for it, one of the github reports already says it's got a fix in 2.2.2, so I'll wait for it to drop.