Nagios Support Forum

I am having issues with a Nagios Xi plugin.
Check_http plugin – when running, it returns a different hostname.
The certs reside in the same location, meaning multiple certs in on location.
The plugin works for some sites.
Nagios XI 5.2.9
Linux 3.13.0-85-generic #129-Ubuntu SMP Thu Mar 17 20:50:15 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Test check from the command line:

COMMAND: /usr/local/nagios/libexec/check_http -H stg.xxxx.net -C 15
OUTPUT: OK - Certificate 'dashboard.xxxx.net' will expire on Sat 20 May 2017 11:02:00 PM EDT.

tyrone.fain wrote: COMMAND: /usr/local/nagios/libexec/check_http -H stg.xxxx.net -C 15
OUTPUT: OK - Certificate 'dashboard.xxxx.net' will expire on Sat 20 May 2017 11:02:00 PM EDT.

dashboard.xxxx.net is being evaluated by the X509_get_subject_name function. Are you absolutely certain that the CN of the certificate is stg.xxxx.net?

Yes I'm absolutely sure.

What is the full output of the following?
(replace xxxx with the proper hostname)

* Rebuilt URL to: https://stg.xxxx.net/
* Hostname was NOT found in DNS cache
* Trying 10.128.65.xxx...
* Connected to stg.xxxx.net (10.128.65.xxx) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=Pennsylvania; L=Philadelphia; O=xxxxx; CN=stg.xxxx.net
* start date: 2014-12-17 16:12:25 GMT
* expire date: 2017-12-16 08:31:20 GMT
* subjectAltName: stg.xxxx.net matched
* issuer: C=US; O=Entrust, Inc.; OU=See http://www.entrust.net/legal-terms; OU=(c) 2012 Entrust, Inc. - for authorized use only; CN=Entrust Certification Authority - L1K
* SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: stg.xxxx.net
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Thu, 22 Sep 2016 13:56:17 GMT
* Server Apache is not blacklisted
< Server: Apache
< Location: https://stg.xxxx.net/dashboard/?commid=1
< Content-Length: 253
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://stg.xxxx.net/dashboard/?commid=1">here</a>.</p>
</body></html>
* Connection #0 to host stg.xxxx.net left intact

Let's just check the cert directly:

openssl s_client -showcerts -connect stg.xxxx.net:443

openssl s_client -showcerts -connect stg.xxxx.net:443
CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=dashboard.xxxxdev.net
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2

Server certificate
subject=/OU=Domain Control Validated/CN=dashboard.xxxxdev.net
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
---
SSL handshake has read 5491 bytes and written 421 bytes

Looking at this becomes clear that this is where the dashboard certificate is coming from - This is why the check_http is returning that certificate. Let's take a step backwards to your initial post though -

The certs reside in the same location, meaning multiple certs in on location.

While you mentioned this, it didn't click until now - are you using SNI to serve multiple certificates via one IP address? If so, you may need to append --sni to your check_http as it will enable SNI support.

I only meant the certs are located in the same directory. The certs have their own IP address located behind a proxy.

tyrone.fain wrote:I only meant the certs are located in the same directory. The certs have their own IP address located behind a proxy.

Could you please elaborate what you mean by ' The certs have their own IP address located behind a proxy. '?

If they have their own IP address, BEHIND a proxy, then they really do not have their own IP address.

If you attempt your check with --sni, does it work successfully? Because at this point we're seeing the web server offer that 'dashboard' certificate as the default one when trying to request it from that IP.