SSL Cert failto make connection

[vhoover]

Still recieved an error message, it is a different one though:

[root@nagios-test libexec]# ./check_http -H X.X.X.X -p 83 -S -v -C 14
CRITICAL - Socket timeout after 10 seconds

[abrist]

That is what you usually get when nothing is listening on the port.

[vhoover]

The web server shows URLs binded to the following ports:

URL1 is binded to port 83 & URL2 is binded to port 80 & 443

With that said when I run the command to check on port 80 I get the following:

[root@nagios-test libexec]# ./check_http -H X.X.X.X -p 80 -S -v -C 14
CRITICAL - Cannot make SSL connection
140507086231400:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:699:
CRITICAL - Cannot retrieve server certificate.

For whatever reason, this server just does not want to allow a Certificate check, even though there is a valid non-expired certificate installed

[abrist]

This command:

Code: Select all

./check_http -H X.X.X.X -p 80 -S -v -C 14

Should probably be:

Code: Select all

./check_http -H X.X.X.X -p 443 -S -v -C 14

Unless you force ssl with mod_rewrite or the like.

[vhoover]

This command:
CODE: SELECT ALL
./check_http -H X.X.X.X -p 80 -S -v -C 14

Should probably be:
CODE: SELECT ALL
./check_http -H X.X.X.X -p 443 -S -v -C 14

Unless you force ssl with mod_rewrite or the like.

I understand that. I have tried the
check_http -H X.X.X.X -S -v -C
with the -p 80, -p 83, -p 443 and all give an error. The error is pretty much the same each time,
CRITICAL - Cannot make SSL connection
CRITICAL - Cannot retrieve server certificate.
What could be the problem? The server has a valid (non-expired) SSL Certificate installed, is web enabled (obviously), answers to the ports listed above. Other machines with the exact same configuration (Operating System, Ports, URLs, even Patches) do not have this issue. Please help I need to get this resolved.

[abrist]

Alright, lets nmap this host and curl/wget it:

Code: Select all

cd /tmp
nmap -p 80,443,83 <host ip>
curl -I <host ip>
wget <host ip> | cat

[vhoover]

Alright, lets nmap this host and curl/wget it:
CODE: SELECT ALL
cd /tmp
nmap -p 80,443,83 <host ip>
curl -I <host ip>
wget <host ip> | cat

Below is the output from those commands (IP has been sanitized):

[root@nagios-test tmp]# nmap -p 80,443,83 X.X.X.X

Starting Nmap 5.51 ( http://nmap.org ) at 2013-11-22 10:09 MST
Nmap scan report for X.X.X.X
Host is up (0.0025s latency).
PORT STATE SERVICE
80/tcp open http
83/tcp filtered mit-ml-dev
443/tcp open https

Nmap done: 1 IP address (1 host up) scanned in 1.34 seconds
[root@nagios-test tmp]# curl -I X.X.X.X
HTTP/1.1 200 OK
Content-Length: 689
Content-Type: text/html
Last-Modified: Fri, 09 Sep 2011 21:51:21 GMT
Accept-Ranges: bytes
ETag: "b2f6b09c3a6fcc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Fri, 22 Nov 2013 17:09:55 GMT

[root@nagios-test tmp]# wget X.X.X.X | cat
--2013-11-22 10:10:31-- http://X.X.X.X/
Connecting to X.X.X.X:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 689 [text/html]
Saving to: “index.html”

100%[======================================>] 689 --.-K/s in 0s

2013-11-22 10:10:31 (78.8 MB/s) - “index.html” saved [689/689]

[abrist]

We will have to test this as I am not able to reproduce the HTTP 1.0 issues. The plugin does support HTTP 1.1, but there could potentially be a bug . . .

[vhoover]

OK, I await your findings.

[slansing]

Can you manually make the ssl connection, does it present any certificate issues?:

Code: Select all

openssl s_client -connect <hostaddress>:443