Page 2 of 2
Re: check_http with self-signed SSL
Posted: Fri Jun 15, 2018 12:31 pm
by bchabotdg
Plugins updated. Still not working:
Code: Select all
# /usr/local/nagios/libexec/check_http -H server.msp.digitalguardian.com -S -p 443 -u /DigitalGuardian2/Misc/Login.aspx -v
CRITICAL - Cannot make SSL connection.
#
To verify:
Code: Select all
# /usr/local/nagios/libexec/check_http -V
check_http v2.2.1 (nagios-plugins 2.2.1)
#
Re: check_http with self-signed SSL
Posted: Fri Jun 15, 2018 1:45 pm
by tgriep
Do you have any details on how that SSL cert was created on that server?
You may have to specify the SSL version using this option for your server.
Code: Select all
--ssl=VERSION[+]
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.
Try that as well in your command.
Re: check_http with self-signed SSL
Posted: Fri Jun 15, 2018 2:00 pm
by bchabotdg
No change with --ssl= . I do not know the details of how the cert was created.
Re: check_http with self-signed SSL
Posted: Fri Jun 15, 2018 3:13 pm
by cdienger
The --sni option is needed in cases where the destination hosts multiple domains or may require it. Run the check with this option and if it still fails, please PM a packet capture that contains an attempt to run it:
yum -y install tcpdump
tcpdump -s 0 -i any port 443 -w output.pcap
Let it run just long enough to reproduce the error and then use CTRL+C to stop it. PM me the output.pcap and I can take a closer look or you can use Wireshark to review it yourself.
Re: check_http with self-signed SSL
Posted: Mon Jun 18, 2018 1:01 pm
by bchabotdg
Thank you! This worked perfectly.
Re: check_http with self-signed SSL
Posted: Mon Jun 18, 2018 1:29 pm
by cdienger
Glad to hear
