check_http with -C option appears to check URL (2.2.1)

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
User avatar
millisa
Posts: 69
Joined: Thu Jan 16, 2014 11:13 pm
Location: Austin, TX
Contact:

check_http with -C option appears to check URL (2.2.1)

Post by millisa »

With check_http in 2.2.1, compiled from source, when specifying the '-C ##' option to check a certificate expiration, it now appears to do an http request for content.

Relevant excerpt from the check_http man page:

Code: Select all

 -C, --certificate=INTEGER[,INTEGER]
        Minimum number of days a certificate has to be valid. Port defaults to 443
        (when this option is used the URL is not checked.)
With 2.1.4:

Code: Select all

check_http --ssl -C 21 -H google.com
Gives:

Code: Select all

OK - Certificate '*.google.com' will expire on 2017-09-27 03:09 -0500/CDT.
On the same system, using the 2.2.1 of the plugin to run the same command:

Code: Select all

check_http --ssl -C 21 -H google.com
Gives:

Code: Select all

SSL OK - Certificate '*.google.com' will expire on 2017-09-27 03:09 -0500/CDT. HTTP OK: HTTP/1.1 301 Moved Permanently - 615 bytes in 1.297 second response time |time=1.297264s;;;0.000000 size=615B;;;0
 
That HTTP OK portion shouldn't be there with the -C option specified (unless this has been changed and I missed it in the changelog? The closest I saw was the bit about not prematurely reporting success on the TLS cert validation)

Version info (source downloaded 2017-07-18):

Code: Select all

./check_http --version
check_http v2.2.1 (nagios-plugins 2.2.1)

In my specific case, access to the http content is restricted, so even though I just want to do a certificate expiration check, I'm getting a warning in nagios with the new version because of a 401 response.

IP/hostname/port redacted version of the two versions of the command I'm actually using:

Code: Select all

./check_http --ssl -C 21 -I IPREDACTED -p PORTREDACTED
SSL OK - Certificate 'hostnameredacted.com' will expire on 2018-04-04 18:59 -0500/CDT. HTTP WARNING: HTTP/1.0 401 Access Denied - 40256 bytes in 0.280 second response time |time=0.279541s;;;0.000000 size=40256B;;;0
(this exits with a 'warning' state, when up until 2.2.1, this would have exited with an 'OK' state which is what I expect).

And the same check (with hostname/port redacted) using the 2.1.4 version of check_http:

Code: Select all

./check_http --ssl -C 21 -I IPREDACTED -p PORTREDACTED
OK - Certificate 'hostnameredacted.com' will expire on 2018-04-04 18:59 -0500/CDT.
(exits with an 'ok' state)

Quick edit for system info: Systems tested with were running centos 6.9 x86_64 and centos 7.3.1611.
User avatar
millisa
Posts: 69
Joined: Thu Jan 16, 2014 11:13 pm
Location: Austin, TX
Contact:

Re: check_http with -C option appears to check URL (2.2.1)

Post by millisa »

And I just missed it when looking for another report on this. It looks like this is already reported in github at check_http: -C broken after update to 2.2.1 and check_http: Breaking change to -C: Certificate check should not check URL
tmcdonald
Posts: 9117
Joined: Mon Sep 23, 2013 8:40 am

Re: check_http with -C option appears to check URL (2.2.1)

Post by tmcdonald »

Thanks for the details! Mind if we close this since there is a report open?
Former Nagios employee
User avatar
millisa
Posts: 69
Joined: Thu Jan 16, 2014 11:13 pm
Location: Austin, TX
Contact:

Re: check_http with -C option appears to check URL (2.2.1)

Post by millisa »

Go for it, one of the github reports already says it's got a fix in 2.2.2, so I'll wait for it to drop.
Locked