check_http > CRITICAL - Cannot make SSL connection.

This forum is intended for the discussion of Nagios plugin development. Feature requests, patches, bug fixes, and all types of development-related discussions are welcome!

NOTE: The SourceForge.net nagiosplug-devel mailing list has been deprecated in favor of this forum in order to expedite support and provide additional features not available on the old mailing list.

check_http > CRITICAL - Cannot make SSL connection.

Postby Petr M. » Tue Apr 17, 2018 4:25 am

Hello,
today I upgraded Nagios check_http plugin from version v2.1.4 to v2.2.1 and now I´am not able to check one of my https sites.
The result from v2.1.4 is:
./check_http -H websiteurl -S -e 401
HTTP OK: Status line output matched "401" - 1891 bytes in 0.270 second response time |time=0.270459s;;;0.000000 size=1891B;;;0

and with version v2.2.1:
./check_http -H websiteurl -S -e 401
CRITICAL - Cannot make SSL connection.

the command with --vv:
./check_http -H websiteurl -S -e 401 -vv
CRITICAL - Cannot make SSL connection.
SSL initialized

Nagios Core running on latest Debian with openssl 1.1.0f-3+deb9u2.

Thanks for you help, Regards,
Petr
Petr M.
 
Posts: 26
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby scottwilkerson » Tue Apr 17, 2018 8:15 am

when you put websiteurl can you be more specific

is it host.domain.com or
https://host.domain.com or
https://host.domain.com/path/to/page or
https://host.domain.com:customport/path/to/page
User avatar
scottwilkerson
CTO
 
Posts: 8921
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby Petr M. » Tue Apr 17, 2018 8:26 am

Hello,
this is internal web site with certificate issued by local CA. The certificate is SHA1.

I use this command with my own domain:
./check_http -H eusupport.xxxx.com -S -u /CAisd/pdmweb.exe -e 401

I have more internal sites which used SSL certificate from trusted external CA and there is no problem.
Petr M.
 
Posts: 26
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby scottwilkerson » Tue Apr 17, 2018 8:55 am

you may need to add --sni
Code: Select all
--sni
    Enable SSL/TLS hostname extension support (SNI)


Otherwise I'm not sure what it could be, I just tested with our live server and get expected output
Code: Select all
./check_http -H assets.nagios.com -S -u /downloads/nagios-log-server/2/virtualpc/ -e 403
User avatar
scottwilkerson
CTO
 
Posts: 8921
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby Petr M. » Tue Apr 17, 2018 9:07 am

with --sni I received the same result.

./check_http -H eusupport.xxxxx.com -S -u /CAisd/pdmweb.exe -e 401 --sni
CRITICAL - Cannot make SSL connection.

There must be some change between version 2.1.4 and 2.2.1. With 2.1.4 there is no issue. I don´t know what differences are there.
As I wrote, the problem is only with one of my internal servers. Other server are OK.
Petr M.
 
Posts: 26
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby scottwilkerson » Tue Apr 17, 2018 9:31 am

Do the internal server force a specific SSL type, you can specify that
Code: Select all
-S, --ssl=VERSION[+]
    Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
    auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
    1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.


or specific keys
Code: Select all
-J, --client-cert=FILE
   Name of file that contains the client certificate (PEM format)
   to be used in establishing the SSL session
-K, --private-key=FILE
   Name of file containing the private key (PEM format)
   matching the client certificate
User avatar
scottwilkerson
CTO
 
Posts: 8921
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby Petr M. » Tue Apr 17, 2018 9:41 am

I tried the command with S1, S1.1 and 1.2
./check_http -H eusupport.xxxxxx.com -S1 -u /CAisd/pdmweb.exe -e 401

with the same result:
CRITICAL - Cannot make SSL connection.

with S2 and S3 I receive:
UNKNOWN - SSL protocol version 3 is not supported by your SSL library.
Petr M.
 
Posts: 26
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby scottwilkerson » Tue Apr 17, 2018 10:00 am

I did see another thread with similar issue and it was the ssl package on the nagios server

viewtopic.php?f=6&t=43852
User avatar
scottwilkerson
CTO
 
Posts: 8921
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby Petr M. » Tue Apr 17, 2018 10:09 am

I already found this topic but it dies not help me. I already have installed latest version of openssl and libssl-dev and check_http was compiled with these versions but the problem is still there.
Petr M.
 
Posts: 26
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Postby scottwilkerson » Wed Apr 18, 2018 9:59 am

I'm sorry, currently I am really out of ideas what could be causing the issue and am unable to replicate it.

I will leave the thread open in case another community member has seen the same behavior.
User avatar
scottwilkerson
CTO
 
Posts: 8921
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises

Next

Return to Nagios Plugin Development

Who is online

Users browsing this forum: No registered users and 2 guests