Cannot make SSL connection

[jkinning]

I am trying to setup a site in Nagios XI for a Business Unit and keep running into issues. I am testing all these checks by running them on the Nagios XI server.

Code: Select all

./check_http -H <site_name> -f ok 
HTTP OK: HTTP/1.1 302 Found - 534 bytes in 0.003 second response time |time=0.002892s;;;0.000000 size=534B;;;0

Code: Select all

./check_http -H <site_name> -f follow 
CRITICAL - Cannot make SSL connection.

Code: Select all

./check_http -H <site_name> -f ok -I <IP addresss of site> 
HTTP OK: HTTP/1.1 302 Found - 534 bytes in 0.002 second response time |time=0.001964s;;;0.000000 size=534B;;;0

I know there is a redirect somewhere so I was going to use the follow as I have in previous site checks but this is the first I've encountered Cannot make SSL connection. I looked for other solutions in this forum but everything I thought was relevant and tried still didn't work.

[ssax]

If you add the -v option on the end of it what does it show you?

Code: Select all

./check_http -H <site_name> -f follow -v

[jkinning]

Code: Select all

./check_http -H <sitename> -f follow -v
GET / HTTP/1.1
User-Agent: check_http/v2.0.3 (nagios-plugins 2.0.3)
Connection: close
Host: <sitename>
Accept: */*


http://<sitename>:80/ is 534 characters
STATUS: HTTP/1.1 302 Found
**** HEADER ****
Date: Fri, 31 Jul 2015 17:36:51 GMT
Server: Apache/2.2.15 (CentOS)
Location: https://<sitename>/
Content-Length: 311
Connection: close
Content-Type: text/html; charset=iso-8859-1
**** CONTENT ****
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://<sitename>/">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at <sitename> Port 80</address>
</body></html>

Redirection to https://<sitename>:443/
GET / HTTP/1.1
User-Agent: check_http/v2.0.3 (nagios-plugins 2.0.3)
Connection: close
Host: <sitename>
Accept: */*


https://<sitename>:443/ is 675 characters
STATUS: HTTP/1.1 302 Moved Temporarily
**** HEADER ****
Date: Fri, 31 Jul 2015 17:36:51 GMT
Set-Cookie: JSESSIONID=FD738ACA66B546EBC9A3C63840639534; Path=/; Secure; HttpOnly
Set-Cookie: localeid=en_US_default; Expires=Fri, 29-Jul-2022 17:36:51 GMT; Path=/; Secure
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-UA-Compatible: IE=edge
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, must-revalidate
ETag: org.apache.catalina.session.StandardSessionFacade@e528041438364211000
Last-Modified: Fri, 31 Jul 2015 17:36:51 GMT
Pragma: no-cache
Location: https://<sitename>/fulfillment/ssolandingpage
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8
**** CONTENT ****

Redirection to https://<sitename>:443/fulfillment/ssolandingpage
GET /fulfillment/ssolandingpage HTTP/1.1
User-Agent: check_http/v2.0.3 (nagios-plugins 2.0.3)
Connection: close
Host: <sitename>
Accept: */*


https://<sitename>:443/fulfillment/ssolandingpage is 1689 characters
STATUS: HTTP/1.1 302 Found
**** HEADER ****
Date: Fri, 31 Jul 2015 17:36:51 GMT
Expires: Wed, 01 Jan 1997 12:00:00 GMT
Cache-Control: private,no-store,no-cache,max-age=0
Location: https://idp.ws.wsfgrp.net/adfs/ls/?SAMLRequest=jZJLT8MwEIT%2FSuR74zzUprWaSKE9UKlARAMHLshxncbCsY3XofDvSRoe5VJx3tmZ2U%2B7BNpKQ%2FLONeqev3YcnPfeSgXkNEhRZxXRFAQQRVsOxDGyy2%2B2JPIDYqx2mmmJvByAWye0WmkFXcvtjts3wfjD%2FTZFjXMGCMYttS%2FcGUkZ96kx%2FhHqgzW%2B4g7vGlFVWnLX%2BAAaDwkRLu52JfLWfSWh6GD%2BayX2w%2Fq5A93XgCVg5G3WKXrmAQ3ns3lQ1fNpXYdJGLOKsQWLFkGdVFXcywA6vlHgqHIpioJwOgmSSRyWYULiGZmGT8grvg68Emov1OEyjWoUAbkuy2Iyln%2FkFk7FewHKlgNTcgq2Z5Qv29JvtCj7B0j4AbnEZ2ljtCG3vf1mXWgp2IeXS6mPK8up4ykKEc7Glb%2FfkH0C&RelayState=ss%3Amem%3Aaa7d04cb1cf469cee56610628a1312ddbff41ec99cdce921ce9822426fefdf1e
Content-Length: 861
Connection: close
Content-Type: text/html; charset=iso-8859-1
**** CONTENT ****
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://<adfs_server>/adfs/ls/?SAMLRequest=jZJLT8MwEIT%2FSuR74zzUprWaSKE9UKlARAMHLshxncbCsY3XofDvSRoe5VJx3tmZ2U%2B7BNpKQ%2FLONeqev3YcnPfeSgXkNEhRZxXRFAQQRVsOxDGyy2%2B2JPIDYqx2mmmJvByAWye0WmkFXcvtjts3wfjD%2FTZFjXMGCMYttS%2FcGUkZ96kx%2FhHqgzW%2B4g7vGlFVWnLX%2BAAaDwkRLu52JfLWfSWh6GD%2BayX2w%2Fq5A93XgCVg5G3WKXrmAQ3ns3lQ1fNpXYdJGLOKsQWLFkGdVFXcywA6vlHgqHIpioJwOgmSSRyWYULiGZmGT8grvg68Emov1OEyjWoUAbkuy2Iyln%2FkFk7FewHKlgNTcgq2Z5Qv29JvtCj7B0j4AbnEZ2ljtCG3vf1mXWgp2IeXS6mPK8up4ykKEc7Glb%2FfkH0C&RelayState=ss%3Amem%3Aaa7d04cb1cf469cee56610628a1312ddbff41ec99cdce921ce9822426fefdf1e">here</a>.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at <sitename> Port 443</address>
</body></html>

Redirection to https://<adfs_server>:443/adfs/ls/?SAMLRequest=jZJLT8MwEIT%2FSuR74zzUprWaSKE9UKlARAMHLshxncbCsY3XofDvSRoe5VJx3tmZ2U%2B7BNpKQ%2FLONeqev3YcnPfeSgXkNEhRZxXRFAQQRVsOxDGyy2%2B2JPIDYqx2mmmJvByAWye0WmkFXcvtjts3wfjD%2FTZFjXMGCMYttS%2FcGUkZ96kx%2FhHqgzW%2B4g7vGlFVWnLX%2BAAaDwkRLu52JfLWfSWh6GD%2BayX2w%2Fq5A93XgCVg5G3WKXrmAQ3ns3lQ1fNpXYdJGLOKsQWLFkGdVFXcywA6vlHgqHIpioJwOgmSSRyWYULiGZmGT8grvg68Emov1OEyjWoUAbkuy2Iyln%2FkFk7FewHKlgNTcgq2Z5Qv29JvtCj7B0j4AbnEZ2ljtCG3vf1mXWgp2IeXS6mPK8up4ykKEc7Glb%2FfkH0C&RelayState=ss%3Amem%3Aaa7d04cb1cf469cee56610628a1312ddbff41ec99cdce921ce9822426fefdf1e
CRITICAL - Cannot make SSL connection.

[tgriep]

I have had customers in the past have to specify the SSL versions and using IPV4. Try that and and see if that helps.

Code: Select all

 -4, --use-ipv4
 -S, --ssl=VERSION
    Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
    auto-negotiation (1 = TLSv1, 2 = SSLv2, 3 = SSLv3).

[tmcdonald]

Also, can you tell us a bit about the route from Nagios to the remote host? It looks like in addition to SSL you might have some SSO portal in the way that could be affecting results.

[jkinning]

I did find out there is an ADFS server used in between for SSO. So when you hit the site it calls the ADFS server for SSO.

Code: Select all

http://<sitename> redirects to
https://<adfs_server>/adfs/ls/?SAMLRequest=jZJPU4MwEMW%2FCpN7CVBbaaYwg%2B3BzlTtCHrw4gRYSsaQYDZY%2FfZC8U%2B9dLzsZd%2B%2B9%2FKbLJE3smVJZ2t1D68doHXeG6mQHRcR6YximqNApngDyGzB0uRmywLXY63RVhdaEidBBGOFViutsGvApGDeRAEP99uI1Na2yChtuHkB20pegMvb1j1gtTetq8DStBZ5riXY2kXUdEgI6O4uzYiz7isJxQfzXytRDuenDryskEqkxNmsI%2FKch0Ewy4MSymoR5OUlFPNy0Y%2BFP63meRj2MsQONgotVzYigefPJl448aaZf8H8GfODJ%2BLsvh54JVQp1P48jXwUIbvOst1kLP8IBo%2FFewGJlwNTdgw2J5TP2%2FJvtCT%2BB0j8AbmkJ2ljdMtue%2FvNeqelKD6cREp9WBngFiLiExqPJ39%2FQ%2FwJ&RelayState=ss%3Amem%3Abb88cd7f1063107a3613910cd13fd42124de000028d815887bc3663675c0410e 

which then produces the page I am trying to monitor.

[ssax]

Did you try it with the SSL option?

Code: Select all

./check_http -H <site_name> -f follow -S

[tmcdonald]

When you say it produces the page, do you mean it generates the page itself? Or it displays it in an iframe or otherwise grabs the content? I am thinking there might also be a mismatch between the SSL cert that is expected and what might be given by the SSO portal.

Also, can you try using -I instead of -H in your check?

[jkinning]

Did you try it with the SSL option?

Code: Select all

./check_http -H <site_name> -f follow -S

I did and same result:

Code: Select all

./check_http -I <sitename> -f follow -S
CRITICAL - Cannot make SSL connection.

[jkinning]

When you say it produces the page, do you mean it generates the page itself? Or it displays it in an iframe or otherwise grabs the content? I am thinking there might also be a mismatch between the SSL cert that is expected and what might be given by the SSO portal.

Also, can you try using -I instead of -H in your check?

It produces the page which once I figure out how to get Nagios to return a 200 I'll search for specific content on the page.

Code: Select all

./check_http -I <IP Address> 
HTTP OK: HTTP/1.1 302 Found - 477 bytes in 0.001 second response time |time=0.001496s;;;0.000000 size=477B;;;0
./check_http -H <sitename> 
HTTP OK: HTTP/1.1 302 Found - 534 bytes in 0.003 second response time |time=0.002911s;;;0.000000 size=534B;;;0
./check_http -I <IP Address> -f follow -S
CRITICAL - Cannot make SSL connection.