Page 1 of 1
check_http cannot make ssl connection
Posted: Sun May 14, 2017 10:26 pm
by s.wiki
Hi , I am trying to check_http but return this error.
Code: Select all
[root@ ]# /usr/local/nagios/libexec/check_http -H ipaddress -S -p 443
CRITICAL - Cannot make SSL connection.
139987061589864:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
139987061589864:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641:
[root@ ]#
Code: Select all
i have tested the port is opened.
[root@ ]# nmap 10.103.8.31 -p 443
Starting Nmap 6.47 ( http://nmap.org ) at 2017-05-15 11:25 MYT
Nmap scan report for hostname.bank.com (ipaddress)
Host is up (0.00032s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
[root@ ]#
check_http version,
Code: Select all
[root@]# ./check_http -V
check_http v2.2.1 (nagios-plugins 2.2.1)
I have tried to check_http myOwnNagiosIP -S -p 443 and it works. Any ideas?
Appreciate if you help. Thanks
Re: check_http cannot make ssl connection
Posted: Sun May 14, 2017 10:49 pm
by s.wiki
on the agent side it is configured like this.
Code: Select all
; TODO
[/settings/NRPE/server]
; Undocumented key
ssl options = no-sslv2,no-sslv3
could this be the issue?
Re: check_http cannot make ssl connection
Posted: Mon May 15, 2017 12:10 pm
by tgriep
Can you run the command in verbose mode and post the output so we can view the errors?
Code: Select all
/usr/local/nagios/libexec/check_http -H ipaddress -S -p 443 -vv
What version of openssl is installed on the Nagios server?
Run the following as root and post the output.
Code: Select all
yum list installed |grep openssl
openssl version
Thanks
Re: check_http cannot make ssl connection
Posted: Tue May 16, 2017 3:31 am
by s.wiki
tgriep wrote:Can you run the command in verbose mode and post the output so we can view the errors?
Code: Select all
/usr/local/nagios/libexec/check_http -H ipaddress -S -p 443 -vv
What version of openssl is installed on the Nagios server?
Run the following as root and post the output.
Code: Select all
yum list installed |grep openssl
openssl version
Thanks
Hi, thank you for your reply. kindly check the output below
Code: Select all
[root@~]# /usr/local/nagios/libexec/check_http -H ipaddress -S -p 443 -vv
CRITICAL - Cannot make SSL connection.
140061322540904:error:100AE081:elliptic curve routines:EC_GROUP_new_by_curve_name:unknown group:ec_curve.c:316:
140061322540904:error:1408D010:SSL routines:SSL3_GET_KEY_EXCHANGE:EC lib:s3_clnt.c:1641:
SSL initialized
[root@~]#
Code: Select all
[root@~]# yum list |grep openssl
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
file:///mnt/rhel6.5/repodata/repomd.xml: [Errno 14] Could not open/read file:///mnt/rhel6.5/repodata/repomd.xml
Trying other mirror.
openssl.x86_64 1.0.1e-15.el6 @anaconda-RedHatEnterpriseLinux-201311111358.x86_64/6.5
openssl-devel.x86_64 1.0.1e-15.el6 @lr
krb5-pkinit-openssl.x86_64 1.10.3-10.el6_4.6 lr
openssl.i686 1.0.1e-15.el6 lr
openssl-devel.i686 1.0.1e-15.el6 lr
openssl098e.i686 0.9.8e-17.el6_2.2 lr
openssl098e.x86_64 0.9.8e-17.el6_2.2 lr
[root@~]#
Re: check_http cannot make ssl connection
Posted: Tue May 16, 2017 12:02 pm
by tgriep
After searching for that error, I am finding some links that are pointing to some bugs in the openssl and openssl-devel packages.
Can you upgrade those packages, recompile the check_http plugin and see if it resolves the issue?
You may also have to upgrade the remote server if it is running the same openssl package with the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1019390
https://bugzilla.redhat.com/show_bug.cgi?id=1019251
Re: check_http cannot make ssl connection
Posted: Fri May 19, 2017 2:21 am
by s.wiki
Hi ,
Thanks alot for your assistance
I have update packages to version
openssl-devel-1.0.1e-57.el6.x86_64
openssl-1.0.1e-57.el6.x86_64
and check_http is working now.
Thanks
Re: check_http cannot make ssl connection
Posted: Fri May 19, 2017 9:46 am
by tgriep
Your welcome. Glad it is working now.
I'll mark the post as solved and lock it up but if you have any questions in the future, feel free to open a new post.