check_xi_mysql_health does not support SSL

[Tonysnorek]

My organization recently made a change to forcing all connections to our AWS RDS Instances to use SSL, unfortunately I am now having problems with around 32 of my service alarms failing because the check_xi_mysql_health command does not support SSL.

It was recommended to use the check_mysql plugin because it does support SSL, however check_mysql plugin does not support the types of service alarms that we are looking for, which are as follows:

MySQL Connection Time
MySQL InnoDB Buffer Pool Hit Rate
MySQL InnoDB Log Waits
MySQL Long Running Processes
MySQL Open Connections
MySQL Slow Queries
MySQL Table Cache Hit Rate
MySQL Thread Cache Hit Rate

Is there anyone out there that can recommend a way to fix this?

[mcapra]

Interestingly, the latest version of check_mysql_health still doesn't support SSL yet.

If you're open to executing these checks via NRPE, it looks as though you should be able to leverage the --mycnf argument to pass in a special client configuration (with your client pems, for example). I suggest NRPE because apparently the --mycnf argument forces localhost as the target. This is all just based on some light reading and is not something I've tested.

https://exchange.nagios.org/directory/M ... th/details

[Tonysnorek]

Thanks for the suggestion. I am not sure if NRPE will work here, I do not have access to the host of the database because they are AWS RDS Hosted instances. I will have to take a look into the possibility for doing that with RDS though.

[kyang]

Thanks @mcapra!

Let us know if you have any more questions.

[Tonysnorek]

Unfortunately I am not able to access the host, so NRPE isn't going to work in this case, anyone else out there have a potential solution for this? Can anyone from Nagios tell me when/if the check_mysql_health command is going to support SSL? Seems silly that it doesn't given the current state of cyber security.

[scottwilkerson]

Not sure when they will add that in... I do know that /usr/local/nagios/libexec/check_mysql supports SSL, but I realize that it may not offer the same checks you are looking for

Code: Select all

# /usr/local/nagios/libexec/check_mysql -h
check_mysql v2.2.1 (nagios-plugins 2.2.1)
Copyright (c) 1999-2014 Nagios Plugin Development Team
        <[email protected]>

This program tests connections to a MySQL server


Usage:
 check_mysql [-d database] [-H host] [-P port] [-s socket]
       [-u user] [-p password] [-S] [-l] [-a cert] [-k key]
       [-C ca-cert] [-D ca-dir] [-L ciphers] [-f optfile] [-g group]

Options:
 -h, --help
    Print detailed help screen
 -V, --version
    Print version information
 --extra-opts=[section][@file]
    Read options from an ini file. See
    https://www.nagios-plugins.org/doc/extra-opts.html
    for usage and examples.
 -H, --hostname=ADDRESS
    Host name, IP Address, or unix socket (must be an absolute path)
 -P, --port=INTEGER
    Port number (default: 3306)
 -n, --ignore-auth
    Ignore authentication failure and check for mysql connectivity only
 -s, --socket=STRING
    Use the specified socket (has no effect if -H is used)
 -d, --database=STRING
    Check database with indicated name
 -f, --file=STRING
    Read from the specified client options file
 -g, --group=STRING
    Use a client options group
 -u, --username=STRING
    Connect using the indicated username
 -p, --password=STRING
    Use the indicated password to authenticate the connection
    ==> IMPORTANT: THIS FORM OF AUTHENTICATION IS NOT SECURE!!! <==
    Your clear-text password could be visible as a process table entry
 -S, --check-slave
    Check if the slave thread is running properly.
 -w, --warning
    Exit with WARNING status if slave server is more than INTEGER seconds
    behind master
 -c, --critical
    Exit with CRITICAL status if slave server is more then INTEGER seconds
    behind master
 -l, --ssl
    Use ssl encryptation
 -C, --ca-cert=STRING
    Path to CA signing the cert
 -a, --cert=STRING
    Path to SSL certificate
 -k, --key=STRING
    Path to private SSL key
 -D, --ca-dir=STRING
    Path to CA directory
 -L, --ciphers=STRING
    List of valid SSL ciphers

 There are no required arguments. By default, the local database is checked
 using the default unix socket. You can force TCP on localhost by using an
 IP address or FQDN ('localhost' will use the socket as well).

Notes:
 You must specify -p with an empty string to force an empty password,
 overriding any my.cnf settings.

Send email to [email protected] if you have questions regarding use
of this software. To submit patches or suggest improvements, send email to
[email protected]

[Tonysnorek]

Thanks for the reply Scott, unfortunately check_mysql also doesn't accomplish what we are looking for either, since these are mainly performance related alarms like table cache hitrate, cpu usage, memory usage, active connections, etc.

[scottwilkerson]

I don't have the setup to be able to test this, but I did find this workaround
https://uname.pingveno.net/blog/index.p ... sql_health

[Tonysnorek]

Thanks for the reply here once again Scott, The paths in that article are a little out of date but I was able to find the file in question for the plugin, unfortunately at this point I do not believe we are able to obtain the SSL Certificates in question as they are also managed on the RDS side and we have no access to the local file system of the RDS Server.

[scottwilkerson]

Thanks for the reply here once again Scott, The paths in that article are a little out of date but I was able to find the file in question for the plugin, unfortunately at this point I do not believe we are able to obtain the SSL Certificates in question as they are also managed on the RDS side and we have no access to the local file system of the RDS Server.

Hmm, I'm not sure there really is going to be any solution if you can't get access to the keys. Some of that is available from Amazon here
https://docs.aws.amazon.com/AmazonRDS/l ... S.SSL.html
Outside of this, I don't have any further suggestions.