Issue with check_http

[razah]

Hi

I am trying to run a check_http check however i get a CRITICAL - Socket timeout error. I have checked the firewall and connection from my nagios server and that works.

Code: Select all

-bash-4.2$  ./check_http -f ok -t 30 -H <IP ADDRESS> -u "/FioriLaunchpad.html" -S --sni -p 44301
CRITICAL - Socket timeout
-bash-4.2$

If i do a wget for the same URL i get

Code: Select all

-bash-4.2$  wget https://<IP ADDRESS>/FioriLaunchpad.html --no-check-certificate
--2020-04-08 10:19:19--  https://<IP ADDRESS>:44301/FioriLaunchpad.html
Connecting to <IP ADDRESS>:44301... connected.
WARNING: cannot verify <IPADDRESS>'s certificate, issued by ‘/DC=com/DC=XXX/CN=XXX’:
  Unable to locally verify the issuer's authority.
    WARNING: certificate common name ‘*.XXXX.com’ doesn't match requested host name ‘<IP ADDRESS>’.
HTTP request sent, awaiting response... 200 OK
Length: 5274 (5.2K) [text/html]
Saving to: ‘FioriLaunchpad.html.2’

100%[===================================================================================================================>] 5,274       --.-K/s   in 0s

2020-04-08 10:19:19 (570 MB/s) - ‘FioriLaunchpad.html.2’ saved [5274/5274]

Any ideas ?

Thanks

[jbrunkow]

You may want to try running the command with a higher timeout, by changing the value you are passing through the -t flag. Maybe try 60 instead of 30 to see if you still get a timeout error.

Could you please try running the check_http command with the -v flag and post the output? This will generate more verbose output.

What are you using the -S flag for? Do you need to specify the TLS version of your certificate?

It may also be helpful if you could post the curl output for the same address. It may show something that wget does not. Something like the options below should suffice.

Code: Select all

curl -k -L -v "[LINK]"

[razah]

I have tried the check_http command with a higher timeout and added the TLS certificate version and am still facing the same issue.

Code: Select all

-bash-4.2$ ./check_http -f ok -t 60 -H <IP ADDRESS> -u "/abap/FioriLaunchpad.html"  -S 1.2 -p 44301 -v
CRITICAL - Socket timeout
-bash-4.2$

I got the -s --SNI option from the check command from within the nagiosXI GUI - if i leave this in place and run the check in verbose I do get a bit more feedback

Code: Select all

-bash-4.2$ ./check_http -f ok -t 60 -H <IP ADDRESS> -u "/FioriLaunchpad.html"  -S  --sni -p 44301 -v
SSL initialized
GET /FioriLaunchpad.html HTTP/1.1
User-Agent: check_http/v2.2.1 (nagios-plugins 2.2.1)
Connection: close
Host: <IP ADDRESS>:44301
Accept: */*


CRITICAL - Socket timeout

The curl command returned the following

Code: Select all

 curl -k -L -v "https://<IP ADDRESS>:44301/FioriLaunchpad.html"
* About to connect() to <IP ADDRESS> port 44301 (#0)
*   Trying <IP ADDRESS> ...
* Connected to <IP ADDRESS> (IP ADDRESS) port 44301 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.XXXXXX,OU=XXXXXXX,OU=SAP Web AS,O=SAP Trust Community,C=XX
*       start date: Nov 07 16:41:41 2018 GMT
*       expire date: Nov 06 16:41:41 2020 GMT
*       common name: *.XXXXXX
*       issuer: CN=locksmith,DC=XXXXXX,DC=com
> GET /FioriLaunchpad.html HTTP/1.1
> User-Agent: curl/7.29.0
> Host: <IP ADDRESS>:44301
> Accept: */*
>
< HTTP/1.1 200 OK
< set-cookie: sap-login-XSRF_S4D=20200409094304-QRRufzfbP9E1DvZ_G09C6w%3d%3d; path=/; HttpOnly
< set-cookie: sap-usercontext=sap-client=100; path=/
< content-type: text/html; charset=utf-8
< content-length: 5274
< sap-err-id: ICFLOGONREQUIRED
< expires: 0
< pragma: no-cache, no-store, private
< cache-control: no-cache, no-store, private
< sap-server: true
< sap-perf-fesrec: 53045.000000
<
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="default-src 'self'">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
<meta name="apple-mobile-web-app-capable" content="yes" />
<meta name="apple-mobile-web-app-status-bar-style" content="default" />
<title>Logon</title>
<link rel="shortcut icon" href="<PATH>/favicon.ico"/>
<link rel="stylesheet" id="FIORI_LOGIN_CSS" href="<PATH>/library.css" >
<script src="<PATH>login.js"></script>
<script src="<PATH>/ClickjackingFramingProtection.js" id="SAP-antiClickjackScript" data-checkService="/sap/public/bc/uics/whitelist&
#x2f;service" data-releaseTimeoutMessage="10000" data-applyprotectioncallback="sapLogin.controller.activate"></script>
</head>
<body lang="en" class="sapUiBody sapUiSraLoginHeight4 " data-sap-login="JTdiJTIybG9naW5fcGFyYW1zJTIyJTNhJTdiJTIybGFuZ192aXNpYmxlJTIyJTNhdHJ1ZSUyYyUyMmZyYW1pb
mdfY29udHJvbCUyMiUzYXRydWUlN2QlMmMlMjJsYW5ndWFnZXMlMjIlM2ElN2IlMjJFTiUyMiUzYSUyMkVuZ2xpc2glMjIlMmMlMjJFUyUyMiUzYSUyMkVzcGElMjVjMyUyNWIxb2wlMjIlN2QlMmMlMjJ0ZX
h0cyUyMiUzYSU3YiUyMmVycm9yX2NsaWVudF9pbml0aWFsJTIyJTNhJTIyRW50ZXIlNWMlNWN4MjBhJTVjJTVjeDIwY2xpZW50JTIyJTJjJTIyZXJyb3JfcHdkX2luaXRpYWwlMjIlM2ElMjJFbnRlciU1YyU
1Y3gyMGElNWMlNWN4MjBwYXNzd29yZCUyMiUyYyUyMmVycm9yX3VzZXJfaW5pdGlhbCUyMiUzYSUyMkVudGVyJTVjJTVjeDIweW91ciU1YyU1Y3gyMHVzZXIlMjIlN2QlMmMlMjJwcm9wZXJ0aWVzJTIyJTNh
JTdiJTIybGFuZyUyMiUzYSUyMkVOJTIyJTdkJTJjJTIybWVzc2FnZXMlMjIlM2ElNWIlNWQlN2Q=">
<div class="hspan"></div>
<header><div class="loginLogo"><img src="<PATH>/sap_logo.png" width="48"/></div></header>
<main id="LOGIN_MAIN">
<form id="LOGIN_FORM" class="loginForm" name="loginForm" action="/FioriLaunchpad.html" method="post"
      autocomplete="off"></form>
<div id="LOGIN_SHADOW_FORM" hidden="hidden" class="loginDisplayNone">

<input type="hidden" name="sap-system-login-oninputprocessing" value="">
<input type="hidden" name="sap-urlscheme" value="">
<input type="hidden" name="sap-system-login" value="onLogin">
<input type="hidden" name="sap-system-login-basic_auth" value="">
<input type="hidden" name="sap-client" value="100">
<input type="hidden" name="sap-accessibility" value="">
<input type="hidden" name="sap-login-XSRF" value="gAmoOa7Xf0kEOSyNZX9tNFW1lIyN04FF29tbKQVqCt8=">
<input type="hidden" name="sap-system-login-cookie_disabled" value="">
<input type="hidden" name="sap-hash" value="">
    <div id="USERNAME_BLOCK" class="loginInput sapUiLightestBG"><label
            id="USERNAME_LABEL" for="USERNAME_FIELD-inner" class="loginHiddenAccessible">User</label><input
            id="USERNAME_FIELD-inner" tabindex="0" type="text" class="loginInputField" name="sap-user"
            maxlength="12 " inputmode="verbatim" autocorrect="off" autocapitalize="none"
            placeholder="User" title="User"></div>
    <div id="PASSWORD_BLOCK" class="loginInput sapUiLightestBG"><label
            id="PASSWORD_LABEL" for="PASSWORD_FIELD-inner" class="loginHiddenAccessible">Password</label><input
            id="PASSWORD_FIELD-inner" tabindex="0" type="password" class="loginInputField" name="sap-password"
            inputmode="verbatim" placeholder="Password" title="Password"></div>
    <div id="LANGUAGE_BLOCK"><div
            id="LANGUAGE_LABEL_BLOCK" class="loginDisplayInput"><label
            id="LANGUAGE_LABEL" for="LANGUAGE_SELECT" class="sapUiContentForegroundTextColor">Language</label></div><div
            id="LANGUAGE_SELECT_BLOCK"><select
            id="LANGUAGE_SELECT" tabindex="0" class="loginSelect" title="Language"></select></div></div>
    <div id="CLIENT_BLOCK" class="loginInput sapUiLightestBG"><label
            id="CLIENT_LABEL" for="CLIENT_FIELD-inner" class="loginHiddenAccessible">Client</label><input
            id="CLIENT_FIELD-inner" tabindex="0" type="text" class="loginInputField" name="sap-client" maxlength="3"
            value="100" placeholder="Client" title="Client"></div>
    <div id="LOGIN_SUBMIT_BLOCK" class="loginButtonRow"><button
            id="LOGIN_LINK" type="submit" class="loginButton sapUiButtonEmphasized" tabindex="0" title="Log On">Log On</button></div>
    <div id="LOGIN_CHANGE_PASSWORDD_BLOCK" class="loginButtonRow"><button
            id="CHANGE_PASSWORD_LINK" type="button" class="loginButton sapUiButtonLite" tabindex="0" title="Change Password">Change Password</button></div>
    <div id="LOGIN_FORGOT_PASSWORD_BLOCK" class="loginButtonRow"><div class="loginLink"><a
            id="LOGIN_FORGOT_PASSWORD_LINK" href="">Forgot your password?</a></div></div>
    <div id="LOGIN_REGISTER_BLOCK" class="loginButtonRow"><div class="loginLink"><a
            id="LOGIN_REGISTER_LINK" href="">Register here</a></div></div>
</div>
</main>
<footer><div class="loginCopyright"><label class="sapMLabel">Copyright © 2020 SAP SE. All rights reserved.</label></div></footer>
<div class="busyAnimation"><div></div><div></div><div></div></div>
</body>
* Connection #0 to host  left intact

Thanks

[jbrunkow]

Apparently we have fixed bugs related to "Socket Timeout" errors in previous releases. Please run these commands as root on your XI server and post the full output of the check_http commands.

Code: Select all

cd /tmp
wget https://nagios-plugins.org/download/nagios-plugins-2.3.3.tar.gz
tar zxf nagios-plugins-2.3.3.tar.gz
cd nagios-plugins-2.3.3
./configure && make
./plugins/check_http -f follow -t 60 -H <IP ADDRESS> -u "/FioriLaunchpad.html" -S 1 --sni -p 44301 -v
./plugins/check_http -f follow -t 60 -H <IP ADDRESS> -u "/FioriLaunchpad.html" -S 2 --sni -p 44301 -v
./plugins/check_http -f follow -t 60 -H <IP ADDRESS> -u "/FioriLaunchpad.html" -S 3 --sni -p 44301 -v
./plugins/check_http -f follow -t 60 -H <IP ADDRESS> -u "/FioriLaunchpad.html" -S 1.1 --sni -p 44301 -v
./plugins/check_http -f follow -t 60 -H <IP ADDRESS> -u "/FioriLaunchpad.html" -S 1.2 --sni -p 44301 -v