Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

check_http with self-signed SSL

https://support.nagios.com/forum/viewtopic.php?t=48956

Page 1 of 2

check_http with self-signed SSL

Posted: Tue Jun 12, 2018 11:38 am
by bchabotdg
I'm trying to configure check_http on a server with a self-signed SSL certificate.

I am seeing the following:

$ /usr/local/nagios/libexec/check_http -H server.digitalguardian.com -S -p 443 -u /DigitalGuardian/
CRITICAL - Cannot make SSL connection.
$

Openssl version:
openssl.x86_64 1.0.1e-57.el6 @base
openssl-devel.x86_64 1.0.1e-57.el6 @base

Is there a different check I should be using?

Ultimately I'd like to be able to log in to this site (via HTTP POST) and check for content on the resulting page. For now, a check to see if the site is working at all will suffice. If there is a different plugin that might work better, I'm all ears.

Re: check_http with self-signed SSL

Posted: Tue Jun 12, 2018 4:17 pm
by tgriep
The check_http plugin should be able to connect to that server even with a self signed cert.
Can you run the following and post the output here so we can get the plugin version and a verbose output?

Code: Select all

/usr/local/nagios/libexec/check_http -V
/usr/local/nagios/libexec/check_http -H server.digitalguardian.com -S -p 443 -u /DigitalGuardian/ -v

Re: check_http with self-signed SSL

Posted: Thu Jun 14, 2018 12:53 pm
by bchabotdg

Code: Select all

# /usr/local/nagios/libexec/check_http -V
check_http v2.0.3 (nagios-plugins 2.0.3)
# /usr/local/nagios/libexec/check_http -H server.msp.digitalguardian.com -S -p 443 -u /DigitalGuardian/ -v
CRITICAL - Cannot make SSL connection.
#

Re: check_http with self-signed SSL

Posted: Thu Jun 14, 2018 4:13 pm
by tgriep
Lets see if the system responds with a curl command.
Run this command and post the output.

Code: Select all

curl -XGET https://server.msp.digitalguardian.com/DigitalGuardian/ -k -v
Also, run the nmap command to see which ports are open on the server.
nmap server.msp.digitalguardian.com
Make sure you verify the name of the host.

Re: check_http with self-signed SSL

Posted: Thu Jun 14, 2018 4:45 pm
by bchabotdg

Code: Select all

# curl -XGET https://server.msp.digitalguardian.com/DigitalGuardian2/Misc/Login.aspx -k -v >> curltest.txt
* About to connect() to server.msp.digitalguardian.com port 443 (#0)
*   Trying IPADDRESS... connected
* Connected to 2server.msp.digitalguardian.com (IPADDRESS) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=*.msp.digitalguardian.com,OU=PremiumSSL Wildcard,OU=C Information Technology,O="Verdasys, Inc.",STREET="860 Winter Street, Suite 3",STREET=404 Wyman Street Suite 320,L=Waltham,ST=MA,postalCode=02451,C=US
*       start date: Dec 12 00:00:00 2014 GMT
*       expire date: Dec 11 23:59:59 2019 GMT
*       common name: *.msp.digitalguardian.com
*       issuer: CN=COMODO RSA Organization Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
> GET /DigitalGuardian2/Misc/Login.aspx HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: server.msp.digitalguardian.com
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 200 OK
< Cache-Control: no-cache
< Pragma: no-cache
< Content-Type: text/html; charset=utf-8
< Expires: -1
< Server: Microsoft-IIS/10.0
< Set-Cookie: DGMC2_ASP.NET_SessionId=COOKIE; path=/; HttpOnly
< Set-Cookie: .DGMC2ASPXAUTH=; expires=Tue, 12-Oct-1999 04:00:00 GMT; path=/; HttpOnly
< X-Content-Type-Options: nosniff
< X-Xss-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Set-Cookie: ApplicationGatewayAffinity=SCRUBBED;Path=/;Domain=server.msp.digitalguardian.com
< Date: Thu, 14 Jun 2018 21:39:46 GMT
< Content-Length: 10117
<
{ [data not shown]
#

Code: Select all

# nmap server.msp.digitalguardian.com

Starting Nmap 6.47 ( http://nmap.org ) at 2018-06-14 17:42 EDT
Nmap scan report for server.msp.digitalguardian.com (IPADDRESS)
Host is up (0.0076s latency).
Not shown: 998 filtered ports
PORT    STATE  SERVICE
21/tcp  closed ftp
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 21.29 seconds
#

Re: check_http with self-signed SSL

Posted: Fri Jun 15, 2018 8:50 am
by tgriep
I think that the version of the plugin needs to be updated on the Nagios system and a newer version of OpenSSL will probably need to be updated as well so it will work with the SSL certs that are on that server.

The latest plugins can be found at this link.
https://www.nagios.org/downloads/nagios-plugins/

In the tar.gz file is an INSTALL file that has the steps for compiling and installing the plugins.
Make sure you upgrade the openssl and the openssl-devel packages first.

Then if needed, you can specify the SSL Version with this option in your command.
--ssl=VERSION[+]
Connect via SSL. Port defaults to 443. VERSION is optional, and prevents
auto-negotiation (2 = SSLv2, 3 = SSLv3, 1 = TLSv1, 1.1 = TLSv1.1,
1.2 = TLSv1.2). With a '+' suffix, newer versions are also accepted.

Re: check_http with self-signed SSL

Posted: Fri Jun 15, 2018 10:59 am
by bchabotdg
tgriep wrote:I think that the version of the plugin needs to be updated on the Nagios system and a newer version of OpenSSL will probably need to be updated as well so it will work with the SSL certs that are on that server.
Nagios XI shows everything is up to date. Are these not updated with the internal updater in Nagios XI? If not, shouldn't they be?

tgriep wrote:.
Make sure you upgrade the openssl and the openssl-devel packages first.
Both are the latest versions available for this OS:
Name : openssl
Arch : x86_64
Version : 1.0.1e
Release : 57.el6
Size : 4.1 M
Repo : installed

Name : openssl-devel
Arch : x86_64
Version : 1.0.1e
Release : 57.el6
Size : 2.2 M
Repo : installed

Re: check_http with self-signed SSL

Posted: Fri Jun 15, 2018 11:20 am
by mcapra
Just because openssl is installed with the latest version supported by the OS's package management doesn't necessarily mean it supports the ciphers the website's SSL cert is using. Though, I do believe 1.0.1e should support ECDHE-RSA-AES128-GCM-SHA256. You can do your own validation with the ciphers command mentioned here:
https://wiki.openssl.org/index.php/Comm ... _Utilities

Please provide the output of OpenSSL's ciphers command so we can rule that out.
bchabotdg wrote:Nagios XI shows everything is up to date. Are these not updated with the internal updater in Nagios XI? If not, shouldn't they be?
XI 5.4.12 shipped with nagios-plugins 2.0.3. That is a pretty old release and I don't see anything in the upgrade script that pulls anything newer. You can always update to the latest release by hand:
https://support.nagios.com/kb/article.php?id=569

Re: check_http with self-signed SSL

Posted: Fri Jun 15, 2018 11:28 am
by tgriep
Thanks @mcapra for the help. The next major release of XI will have the newest plugins installed on the server.
Try upgrading the plugins and let us know if it fixes the issue for you.

Re: check_http with self-signed SSL

Posted: Fri Jun 15, 2018 11:52 am
by bchabotdg
mcapra wrote: Please provide the output of OpenSSL's ciphers command so we can rule that out.

Code: Select all

OpenSSL> ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:IDEA-CBC-SHA:PSK-3DES-EDE-CBC-SHA:KRB5-IDEA-CBC-SHA:KRB5-DES-CBC3-SHA:KRB5-IDEA-CBC-MD5:KRB5-DES-CBC3-MD5:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:KRB5-RC4-SHA:KRB5-RC4-MD5
OpenSSL>
mcapra wrote:XI 5.4.12 shipped with nagios-plugins 2.0.3. That is a pretty old release and I don't see anything in the upgrade script that pulls anything newer.
Ugh. So much for "Your Nagios XI installation is up to date."....
All times are UTC-05:00
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited