check_http cannot make ssl connection with enterprise CA

[ssouthern]

We have a Windows Server 2012 R2 enterprise CA that we use to issue certificates to our internal servers (WSUS, etc).

When we attempt to use check_http to confirm that the web service is accepting tcp/443 https connections, we get:

[root@monitor-hq-01 libexec]# ./check_http -H wsus -S -v
CRITICAL - Cannot make SSL connection
GET / HTTP/1.0
User-Agent: check_http/v2053 (nagios-plugins 1.4.13)
Connection: close
Host: wsus
HTTP CRITICAL - Error on receive

I'm assuming this is due to the Nagios host not trusting our enterprise CA, although I could be mistaken. check_http works fine with the servers that we have certificates issues by GoDaddy.

So... 2 questions:

1. Is this due to Nagios not trusting the Enterprise CA?
2. If so, how do I get Nagios to trust the Enterprise CA?

We're running the Hyper-V VM image (CentOS) with Nagios 2012R2.9.

[abrist]

What happens when you wget the website?

Code: Select all

wget https://wsus

Can you also run the check with higher verbosity?

Code: Select all

./check_http -H wsus -S -vvv

[ssouthern]

wget https://wsus
--2014-03-18 16:47:06-- https://wsus/
Resolving wsus... X.X.X.X
Connecting to wsus|X.X.X.X|:443... connected.
Unable to establish SSL connection.

./check_http -H wsus -S -vvv
CRITICAL - Cannot make SSL connection
GET / HTTP/1.0
User-Agent: check_http/v2053 (nagios-plugins 1.4.13)
Connection: close
Host: wsus

HTTP CRITICAL - Error on receive

I can successfully browse to it from computers with FireFox, IE & Chrome (albeit with an untrusted cert error in FireFox).

Here's some cert info from FireFox:

PKCS #1 SHA-512 With RSA Encryption
Connection Encrypted: High-grade Encryption (TLS_RSA_WITH_AES_128_CBC_SHA, 128 bit keys)

[abrist]

You may have openssl issues if wget refuses to grab the page. Lets try wget with "--no-check-certificate"

Code: Select all

wget --no-check-certificate https://wsus