SSL Cert failto make connection

[vhoover]

I am running a Windows 2008R2 Web Server that has a wilcard cert installed. The server has the NSClient++ service installed and running. The web server is layer3 load balanced. I am trying to monitor the expiration status of the Cert. I can and am doing so on all servers in the load-balance as well as the URL. I am having issues watching the cert on this server. I get the following error message:

webp00 SSL Certificate Critical 24d 22h 11m 10s 5/5 2013-11-12 10:54:48 CRITICAL - Cannot make SSL connection

No other Windows 2008R2 server in that cluster or in the domain has this issue. Nothing visibly different (outside of the hostname and IP).

Also is there a way to tell Nagios to which ssl cert to watch. I have a few boxes that have two certs on them, one expires in 5 days, and the other starts in 5 days and expires in 3 years +/-.

[abrist]

Can you show us the full check (including args)?
Have you tried running the check from the cli?

[vhoover]

I have tried the check from the cli and have received the same results the full command being used is as follows:

Commend: check_xi_service_http_cert
Command Line: $USER1$/check_http -H $HOSTADDRESS$ -C $ARG1$

$HOSTNAME$ has been replaced with the host (watched in nagios by IP)
$ARG1$ has been replaced by the number 14

[slansing]

Can you show us what the precise error is that is populating the NSClient log? Though this is not an NRPE/Check_nt check "did you post the wrong one?", If you do not have logging enabled please edit the NSClient++ configuration file "nsc/nsclient.ini" and enable it, then restart the service. The log should show up as nsclient.log in the installation directory, now run a few checks against nsclient from nagios and snip the resulting errors out of the log and share here. Thanks!

[vhoover]

This is the error that I am gettting in the nsclient.log


2013-09-28 10:24:39: error:include\Socket.h:713: Error: Could not complete SSL handshake : [-1] 1, attempting to resume...
2013-09-28 10:24:39: error:include\Socket.h:713: Error: Could not complete SSL handshake : [-1] 1, attempting to resume...
2013-09-28 10:24:39: error:include\Socket.h:713: Error: Could not complete SSL handshake : [-1] 1, attempting to resume..

[slansing]

Do you have "use_ssl=1" enabled in the configuration file? Is the NRPEListener.dll uncommented at the top of the file? I'm not sure this has anything to do with this specific check though..

[vhoover]

The use_ssl and NRPEListener.dll were not enabled, however after enabling them, restarting the NSClient++ service, and even a reinstall of the NSClient++ service and verification of all required module and commands (including use_ssl and NRPEListener.dll), there is no change in the issue. The log is not showing any entry regarding this, even with debug enabled, but the commands response when ran from the cli and the GUI is as follows:

./check_http -H webp00 -C 14
CRITICAL - Cannot make SSL connection
CRITICAL - Cannot retrieve server certificate.

[lmiltchev]

Let's step back for a minute. I don't believe the check_http check has anything to do with NSClient++ whatsoever.

What happens when you run the following command from the command line?

Code: Select all

./check_http -H webp00 -v -C 14

[vhoover]

When running the command from the CLI I get the following:

[root@nagios libexec]# ./check_http -H webp00 -v -C 14
CRITICAL - Cannot make SSL connection
CRITICAL - Cannot retrieve server certificate.

[lmiltchev]

This output was not "more verbose" than the previous one...

What is the plugin's version?

Code: Select all

./check_http -V