Page 1 of 2
check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 4:25 am
by Petr M.
Hello,
today I upgraded Nagios check_http plugin from version v2.1.4 to v2.2.1 and now I´am not able to check one of my https sites.
The result from v2.1.4 is:
./check_http -H websiteurl -S -e 401
HTTP OK: Status line output matched "401" - 1891 bytes in 0.270 second response time |time=0.270459s;;;0.000000 size=1891B;;;0
and with version v2.2.1:
./check_http -H websiteurl -S -e 401
CRITICAL - Cannot make SSL connection.
the command with --vv:
./check_http -H websiteurl -S -e 401 -vv
CRITICAL - Cannot make SSL connection.
SSL initialized
Nagios Core running on latest Debian with openssl 1.1.0f-3+deb9u2.
Thanks for you help, Regards,
Petr
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 8:15 am
by scottwilkerson
when you put
websiteurl can you be more specific
is it
host.domain.com or
https://host.domain.com or
https://host.domain.com/path/to/page or
https://host.domain.com:customport/path/to/page
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 8:26 am
by Petr M.
Hello,
this is internal web site with certificate issued by local CA. The certificate is SHA1.
I use this command with my own domain:
./check_http -H eusupport.xxxx.com -S -u /CAisd/pdmweb.exe -e 401
I have more internal sites which used SSL certificate from trusted external CA and there is no problem.
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 8:55 am
by scottwilkerson
you may need to add --sni
Code: Select all
--sni
Enable SSL/TLS hostname extension support (SNI)
Otherwise I'm not sure what it could be, I just tested with our live server and get expected output
Code: Select all
./check_http -H assets.nagios.com -S -u /downloads/nagios-log-server/2/virtualpc/ -e 403
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 9:07 am
by Petr M.
with --sni I received the same result.
./check_http -H eusupport.xxxxx.com -S -u /CAisd/pdmweb.exe -e 401 --sni
CRITICAL - Cannot make SSL connection.
There must be some change between version 2.1.4 and 2.2.1. With 2.1.4 there is no issue. I don´t know what differences are there.
As I wrote, the problem is only with one of my internal servers. Other server are OK.
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 9:31 am
by scottwilkerson
Do the internal server force a specific SSL type, you can specify that
Code: Select all
-S, --ssl=VERSION[+]
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.
or specific keys
Code: Select all
-J, --client-cert=FILE
Name of file that contains the client certificate (PEM format)
to be used in establishing the SSL session
-K, --private-key=FILE
Name of file containing the private key (PEM format)
matching the client certificate
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 9:41 am
by Petr M.
I tried the command with S1, S1.1 and 1.2
./check_http -H eusupport.xxxxxx.com -S1 -u /CAisd/pdmweb.exe -e 401
with the same result:
CRITICAL - Cannot make SSL connection.
with S2 and S3 I receive:
UNKNOWN - SSL protocol version 3 is not supported by your SSL library.
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 10:00 am
by scottwilkerson
I did see another thread with similar issue and it was the ssl package on the nagios server
https://support.nagios.com/forum/viewto ... =6&t=43852
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Tue Apr 17, 2018 10:09 am
by Petr M.
I already found this topic but it dies not help me. I already have installed latest version of openssl and libssl-dev and check_http was compiled with these versions but the problem is still there.
Re: check_http > CRITICAL - Cannot make SSL connection.
Posted: Wed Apr 18, 2018 9:59 am
by scottwilkerson
I'm sorry, currently I am really out of ideas what could be causing the issue and am unable to replicate it.
I will leave the thread open in case another community member has seen the same behavior.