check_http plugin returns different host-name

[tyrone.fain]

I am having issues with a Nagios Xi plugin.
Check_http plugin – when running, it returns a different hostname.
The certs reside in the same location, meaning multiple certs in on location.
The plugin works for some sites.
Nagios XI 5.2.9
Linux 3.13.0-85-generic #129-Ubuntu SMP Thu Mar 17 20:50:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Test check from the command line:

COMMAND: /usr/local/nagios/libexec/check_http -H stg.xxxx.net -C 15
OUTPUT: OK - Certificate 'dashboard.xxxx.net' will expire on Sat 20 May 2017 11:02:00 PM EDT.

[mcapra]

COMMAND: /usr/local/nagios/libexec/check_http -H stg.xxxx.net -C 15
OUTPUT: OK - Certificate 'dashboard.xxxx.net' will expire on Sat 20 May 2017 11:02:00 PM EDT.

dashboard.xxxx.net is being evaluated by the X509_get_subject_name function. Are you absolutely certain that the CN of the certificate is stg.xxxx.net?

[tyrone.fain]

Yes I'm absolutely sure.

[rkennedy]

What is the full output of the following?

Code: Select all

curl -v https://stg.xxxx.net

(replace xxxx with the proper hostname)

[tyrone.fain]

* Rebuilt URL to: https://stg.xxxx.net/
* Hostname was NOT found in DNS cache
* Trying 10.128.65.xxx...
* Connected to stg.xxxx.net (10.128.65.xxx) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=Pennsylvania; L=Philadelphia; O=xxxxx; CN=stg.xxxx.net
* start date: 2014-12-17 16:12:25 GMT
* expire date: 2017-12-16 08:31:20 GMT
* subjectAltName: stg.xxxx.net matched
* issuer: C=US; O=Entrust, Inc.; OU=See http://www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: stg.xxxx.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 22 Sep 2016 13:56:17 GMT
* Server Apache is not blacklisted
< Server: Apache
< Location: https://stg.xxxx.net/dashboard/?commid=1
< Content-Length: 253
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://stg.xxxx.net/dashboard/?commid=1">here</a>.</p>
</body></html>
* Connection #0 to host stg.xxxx.net left intact

[tmcdonald]

Let's just check the cert directly:

openssl s_client -showcerts -connect stg.xxxx.net:443

[tyrone.fain]

openssl s_client -showcerts -connect stg.xxxx.net:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=dashboard.xxxxdev.net
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

Server certificate
subject=/OU=Domain Control Validated/CN=dashboard.xxxxdev.net
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5491 bytes and written 421 bytes

[rkennedy]

Looking at this becomes clear that this is where the dashboard certificate is coming from -

Code: Select all

openssl s_client -showcerts -connect stg.xxxx.net:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=dashboard.xxxxdev.net
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

This is why the check_http is returning that certificate. Let's take a step backwards to your initial post though -

The certs reside in the same location, meaning multiple certs in on location.

While you mentioned this, it didn't click until now - are you using SNI to serve multiple certificates via one IP address? If so, you may need to append --sni to your check_http as it will enable SNI support.

Code: Select all

 --sni
    Enable SSL/TLS hostname extension support (SNI)

[tyrone.fain]

I only meant the certs are located in the same directory. The certs have their own IP address located behind a proxy.

[rkennedy]

I only meant the certs are located in the same directory. The certs have their own IP address located behind a proxy.

Could you please elaborate what you mean by ' The certs have their own IP address located behind a proxy. '?

If they have their own IP address, BEHIND a proxy, then they really do not have their own IP address.

If you attempt your check with --sni, does it work successfully? Because at this point we're seeing the web server offer that 'dashboard' certificate as the default one when trying to request it from that IP.