I'm trying to set up a basic "check_http --ssl" check on a server with an unverifiable cert chain, and the check times out every time. I can successfully use "check_http --ssl" from this monitoring host to check other web servers, and also can use wget to pull down the first server's main page via HTTPS. It appears that check_http is timing out because it can't verify the certificate chain, despite the fact that some searches suggest that check_http doesn't do that kind of cert validation. But that's the only difference I can find between the servers that check_http --ssl succeeds on and the one it fails on. Any suggestions for how to proceed very much appreciated.
I'm running check_http v2.0.3.
check_http --ssl times out on server with unverifiable cert
-
thudthwacker
- Posts: 5
- Joined: Wed Sep 30, 2015 8:42 am
Re: check_http --ssl times out on server with unverifiable c
Can you run it with -v at the end of it, and post the output for us? This will add some debugging. Also, please post the output of curl https://websitehere.com -v (replace websitehere.com accordingly)
With this, we should be able to have a better look at what's going on with the verbosity.
With this, we should be able to have a better look at what's going on with the verbosity.
Former Nagios Employee
-
thudthwacker
- Posts: 5
- Joined: Wed Sep 30, 2015 8:42 am
Re: check_http --ssl times out on server with unverifiable c
Sure thing:
And, for the curl (note that I'm using "--insecure" due to the cert validity issue previously mentioned; some output mildly obfuscated):
Code: Select all
[root@scan plugins]# ./check_http -v --ssl -t 20 -w 10 -c 15 -H vpn.mydomain.edu
GET / HTTP/1.1
User-Agent: check_http/v2.0.3 (nagios-plugins 2.0.3)
Connection: close
Host: vpn.mydomain.edu
Accept: */*
CRITICAL - Socket timeout after 20 seconds
[root@scan plugins]#
Code: Select all
[root@scan ~]# curl https://vpn.mydomain.edu -v --insecure
* About to connect() to vpn.mydomain.edu port 443 (#0)
* Trying x.y.z.q... connected
* Connected to vpn.mydomain.edu (x.y.z.q) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: OID.1.2.840.113549.1.9.2=...
* start date: Oct 10 00:00:00 2015 GMT
* expire date: Oct 09 23:59:59 2018 GMT
* common name: vpn.mydomain.edu
* issuer: ...
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.19.1 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: vpn.mydomain.edu
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: text/html
< Transfer-Encoding: chunked
< Cache-Control: no-cache
< Pragma: no-cache
< Connection: Keep-Alive
< Date: Fri, 08 Jul 2016 14:10:46 GMT
< Set-Cookie: tg=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
< Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
< Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
< Set-Cookie: webvpn_portal=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
< Set-Cookie: webvpnlogin=1; path=/; secure
< Set-Cookie: sdesktop=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
<
<html><script>document.location.replace("/+CSCOE+/logon.html")</script></html>
* Connection #0 to host vpn.mydomain.edu left intact
* Closing connection #0
[root@scan ~]#
Re: check_http --ssl times out on server with unverifiable c
I don't think check_http will fail due to an invalid cert. I just tested on my end, and it worked both ways. Still had to append the --insecure as you did to the curl as well. The only thing I could thing is that it's attempting port 80, try appending -p 443 and see if that helps. Otherwise, I think it's the SSL version.
Do you know what versions of SSL your server supports on the web server? Also, what is the output of openssl s_client -connect vpn.mydomain.edu:443
Do you know what versions of SSL your server supports on the web server? Also, what is the output of openssl s_client -connect vpn.mydomain.edu:443
Former Nagios Employee
-
thudthwacker
- Posts: 5
- Joined: Wed Sep 30, 2015 8:42 am
Re: check_http --ssl times out on server with unverifiable c
Hm. I tried setting the port explicitly (which I think I'd done before, but no harm in trying again) with no luck. For no reason in particular, I tried using -I [ip address] rather than -H [hostname], and now it works exactly as expected. Hostname resolution looks to be working fine (that is, I can resolve the host name on the scanning server and it's correct). No clue why -I works and -H doesn't.
On the other hand, this particular service might be retired in the relatively near future, so I'm perfectly content just to have something that works.
Thank you, again, for your time and assistance.
On the other hand, this particular service might be retired in the relatively near future, so I'm perfectly content just to have something that works.
Thank you, again, for your time and assistance.
Re: check_http --ssl times out on server with unverifiable c
Weird, it may be a request thing for that IP. Anyways, glad to see it working!
Going to mark this one as resolved, but feel free to create a new thread if you have any questions in the future.
Going to mark this one as resolved, but feel free to create a new thread if you have any questions in the future.
Former Nagios Employee