I'm trying to configure check_http on a server with a self-signed SSL certificate.
I am seeing the following:
$ /usr/local/nagios/libexec/check_http -H server.digitalguardian.com -S -p 443 -u /DigitalGuardian/
CRITICAL - Cannot make SSL connection.
$
Openssl version:
openssl.x86_64 1.0.1e-57.el6 @base
openssl-devel.x86_64 1.0.1e-57.el6 @base
Is there a different check I should be using?
Ultimately I'd like to be able to log in to this site (via HTTP POST) and check for content on the resulting page. For now, a check to see if the site is working at all will suffice. If there is a different plugin that might work better, I'm all ears.
check_http with self-signed SSL
Re: check_http with self-signed SSL
The check_http plugin should be able to connect to that server even with a self signed cert.
Can you run the following and post the output here so we can get the plugin version and a verbose output?
Can you run the following and post the output here so we can get the plugin version and a verbose output?
Code: Select all
/usr/local/nagios/libexec/check_http -V
/usr/local/nagios/libexec/check_http -H server.digitalguardian.com -S -p 443 -u /DigitalGuardian/ -vBe sure to check out our Knowledgebase for helpful articles and solutions!
Re: check_http with self-signed SSL
Code: Select all
# /usr/local/nagios/libexec/check_http -V
check_http v2.0.3 (nagios-plugins 2.0.3)
# /usr/local/nagios/libexec/check_http -H server.msp.digitalguardian.com -S -p 443 -u /DigitalGuardian/ -v
CRITICAL - Cannot make SSL connection.
#
Re: check_http with self-signed SSL
Lets see if the system responds with a curl command.
Run this command and post the output.
Also, run the nmap command to see which ports are open on the server.
Run this command and post the output.
Code: Select all
curl -XGET https://server.msp.digitalguardian.com/DigitalGuardian/ -k -vMake sure you verify the name of the host.nmap server.msp.digitalguardian.com
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: check_http with self-signed SSL
Code: Select all
# curl -XGET https://server.msp.digitalguardian.com/DigitalGuardian2/Misc/Login.aspx -k -v >> curltest.txt
* About to connect() to server.msp.digitalguardian.com port 443 (#0)
* Trying IPADDRESS... connected
* Connected to 2server.msp.digitalguardian.com (IPADDRESS) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=*.msp.digitalguardian.com,OU=PremiumSSL Wildcard,OU=C Information Technology,O="Verdasys, Inc.",STREET="860 Winter Street, Suite 3",STREET=404 Wyman Street Suite 320,L=Waltham,ST=MA,postalCode=02451,C=US
* start date: Dec 12 00:00:00 2014 GMT
* expire date: Dec 11 23:59:59 2019 GMT
* common name: *.msp.digitalguardian.com
* issuer: CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET /DigitalGuardian2/Misc/Login.aspx HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: server.msp.digitalguardian.com
> Accept: */*
>
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Server: Microsoft-IIS/10.0
< Set-Cookie: DGMC2_ASP.NET_SessionId=COOKIE; path=/; HttpOnly
< Set-Cookie: .DGMC2ASPXAUTH=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-Xss-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: ApplicationGatewayAffinity=SCRUBBED;Path=/;Domain=server.msp.digitalguardian.com
< Date: Thu, 14 Jun 2018 21:39:46 GMT
< Content-Length: 10117
<
{ [data not shown]
#
Code: Select all
# nmap server.msp.digitalguardian.com
Starting Nmap 6.47 ( http://nmap.org ) at 2018-06-14 17:42 EDT
Nmap scan report for server.msp.digitalguardian.com (IPADDRESS)
Host is up (0.0076s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds
#Re: check_http with self-signed SSL
I think that the version of the plugin needs to be updated on the Nagios system and a newer version of OpenSSL will probably need to be updated as well so it will work with the SSL certs that are on that server.
The latest plugins can be found at this link.
https://www.nagios.org/downloads/nagios-plugins/
In the tar.gz file is an INSTALL file that has the steps for compiling and installing the plugins.
Make sure you upgrade the openssl and the openssl-devel packages first.
Then if needed, you can specify the SSL Version with this option in your command.
The latest plugins can be found at this link.
https://www.nagios.org/downloads/nagios-plugins/
In the tar.gz file is an INSTALL file that has the steps for compiling and installing the plugins.
Make sure you upgrade the openssl and the openssl-devel packages first.
Then if needed, you can specify the SSL Version with this option in your command.
--ssl=VERSION[+]
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: check_http with self-signed SSL
Nagios XI shows everything is up to date. Are these not updated with the internal updater in Nagios XI? If not, shouldn't they be?tgriep wrote:I think that the version of the plugin needs to be updated on the Nagios system and a newer version of OpenSSL will probably need to be updated as well so it will work with the SSL certs that are on that server.
Both are the latest versions available for this OS:tgriep wrote:.
Make sure you upgrade the openssl and the openssl-devel packages first.
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 57.el6
Size : 4.1 M
Repo : installed
Name : openssl-devel
Arch : x86_64
Version : 1.0.1e
Release : 57.el6
Size : 2.2 M
Repo : installed
Re: check_http with self-signed SSL
Just because openssl is installed with the latest version supported by the OS's package management doesn't necessarily mean it supports the ciphers the website's SSL cert is using. Though, I do believe 1.0.1e should support ECDHE-RSA-AES128-GCM-SHA256. You can do your own validation with the ciphers command mentioned here:
https://wiki.openssl.org/index.php/Comm ... _Utilities
Please provide the output of OpenSSL's ciphers command so we can rule that out.
https://support.nagios.com/kb/article.php?id=569
https://wiki.openssl.org/index.php/Comm ... _Utilities
Please provide the output of OpenSSL's ciphers command so we can rule that out.
XI 5.4.12 shipped with nagios-plugins 2.0.3. That is a pretty old release and I don't see anything in the upgrade script that pulls anything newer. You can always update to the latest release by hand:bchabotdg wrote:Nagios XI shows everything is up to date. Are these not updated with the internal updater in Nagios XI? If not, shouldn't they be?
https://support.nagios.com/kb/article.php?id=569
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: check_http with self-signed SSL
Thanks @mcapra for the help. The next major release of XI will have the newest plugins installed on the server.
Try upgrading the plugins and let us know if it fixes the issue for you.
Try upgrading the plugins and let us know if it fixes the issue for you.
Be sure to check out our Knowledgebase for helpful articles and solutions!
Re: check_http with self-signed SSL
mcapra wrote: Please provide the output of OpenSSL's ciphers command so we can rule that out.
Code: Select all
OpenSSL> ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
OpenSSL>
Ugh. So much for "Your Nagios XI installation is up to date."....mcapra wrote:XI 5.4.12 shipped with nagios-plugins 2.0.3. That is a pretty old release and I don't see anything in the upgrade script that pulls anything newer.