check_http > CRITICAL - Cannot make SSL connection.

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Petr M.
Posts: 29
Joined: Sat Oct 10, 2015 1:24 pm

check_http > CRITICAL - Cannot make SSL connection.

Post by Petr M. »

Hello,
today I upgraded Nagios check_http plugin from version v2.1.4 to v2.2.1 and now I´am not able to check one of my https sites.
The result from v2.1.4 is:
./check_http -H websiteurl -S -e 401
HTTP OK: Status line output matched "401" - 1891 bytes in 0.270 second response time |time=0.270459s;;;0.000000 size=1891B;;;0

and with version v2.2.1:
./check_http -H websiteurl -S -e 401
CRITICAL - Cannot make SSL connection.

the command with --vv:
./check_http -H websiteurl -S -e 401 -vv
CRITICAL - Cannot make SSL connection.
SSL initialized

Nagios Core running on latest Debian with openssl 1.1.0f-3+deb9u2.

Thanks for you help, Regards,
Petr
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by scottwilkerson »

when you put websiteurl can you be more specific

is it host.domain.com or
https://host.domain.com or
https://host.domain.com/path/to/page or
https://host.domain.com:customport/path/to/page
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Petr M.
Posts: 29
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by Petr M. »

Hello,
this is internal web site with certificate issued by local CA. The certificate is SHA1.

I use this command with my own domain:
./check_http -H eusupport.xxxx.com -S -u /CAisd/pdmweb.exe -e 401

I have more internal sites which used SSL certificate from trusted external CA and there is no problem.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by scottwilkerson »

you may need to add --sni

Code: Select all

--sni
    Enable SSL/TLS hostname extension support (SNI)
Otherwise I'm not sure what it could be, I just tested with our live server and get expected output

Code: Select all

./check_http -H assets.nagios.com -S -u /downloads/nagios-log-server/2/virtualpc/ -e 403
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Petr M.
Posts: 29
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by Petr M. »

with --sni I received the same result.

./check_http -H eusupport.xxxxx.com -S -u /CAisd/pdmweb.exe -e 401 --sni
CRITICAL - Cannot make SSL connection.

There must be some change between version 2.1.4 and 2.2.1. With 2.1.4 there is no issue. I don´t know what differences are there.
As I wrote, the problem is only with one of my internal servers. Other server are OK.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by scottwilkerson »

Do the internal server force a specific SSL type, you can specify that

Code: Select all

-S, --ssl=VERSION[+]
    Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
    auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
    1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.
or specific keys

Code: Select all

-J, --client-cert=FILE
   Name of file that contains the client certificate (PEM format)
   to be used in establishing the SSL session
 -K, --private-key=FILE
   Name of file containing the private key (PEM format)
   matching the client certificate
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Petr M.
Posts: 29
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by Petr M. »

I tried the command with S1, S1.1 and 1.2
./check_http -H eusupport.xxxxxx.com -S1 -u /CAisd/pdmweb.exe -e 401

with the same result:
CRITICAL - Cannot make SSL connection.

with S2 and S3 I receive:
UNKNOWN - SSL protocol version 3 is not supported by your SSL library.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by scottwilkerson »

I did see another thread with similar issue and it was the ssl package on the nagios server

https://support.nagios.com/forum/viewto ... =6&t=43852
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Petr M.
Posts: 29
Joined: Sat Oct 10, 2015 1:24 pm

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by Petr M. »

I already found this topic but it dies not help me. I already have installed latest version of openssl and libssl-dev and check_http was compiled with these versions but the problem is still there.
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: check_http > CRITICAL - Cannot make SSL connection.

Post by scottwilkerson »

I'm sorry, currently I am really out of ideas what could be causing the issue and am unable to replicate it.

I will leave the thread open in case another community member has seen the same behavior.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked