Nagios Support Forum

Hi

We are trying to do docker montioring. Nagios is throwing up 'UNKNOWN: cURL call failed'.
Previosuly was using version 1.1.0, changed to latest version 1.1.1 check_docker.py. Still we are seeing this error. Please do the needful

Did you configure it at first with the Docker Wizard?

You could also use the -v flag to gather more verbose output. This might just give us the information we need to diagnose the issue.

Is there anything like a proxy or firewall on your network that could be interfering with the connection? What is the output to the following command?

No it was done with the Docker wizard. We are using ssh to access the docker host.
Attached the nmap snapshot. No firewall issues we have the same ports for other nagios instances where we are montioring docker and it is working fine.
Verbose output:

[nagios@xxxxxxxx libexec]$ ./check_docker.py -H xxxxxx --check-type 'containers_cpu' -C 'checkout' -v -t 10 -w 75 - c 80

UNKNOWN: cURL call failed Stderr: % Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Is that certificate self signed or expired? That could be some other causes of this. You should be able to view the certificate with the following command. You could also use the --secure-connection option on the plugin if you think the default socket could be wrong.

--secure-connection [<ip/host address>:<port>]
Where to find TLS protected docker daemon socket.

...or use --insecure-registries to see if it works without SSL at all.

--insecure-registries INSECURE_REGISTRIES [INSECURE_REGISTRIES ...]
List of registries to connect to with http(no TLS).
Useful when using "--version" with images from
insecure registries.

--insecure-registries INSECURE_REGISTRIES [INSECURE_REGISTRIES ...]
List of registries to connect to with http(no TLS).
Useful when using "--version" with images from
insecure registries.

Where to add this " --insecure-registries" -- check_docker.py doesn't have the option to add this argument

[nagios@XXXXXXX ~]$ /usr/local/nagios/libexec/check_docker.py -H xxxxxxxx / --check-type 'containers_cpu' -C 'store-order-svc' -t 0 -w '75' -c '80' --insecure-registries
Usage: check_docker.py [options]

check_docker.py: error: no such option: --insecure-registries
check_docker.py: error: no such option: --secure-connection


it has self signed certificate. Below is the output for the showcerts command

You will need to get that system to trust the certificates your local certificate authority uses or use one of the following settings on checkdocker.py. ...or use the -k option.

The exact steps to trust that certificate authority will depend on what operating system that is running.

Locking thread, ticket received, we will continue support through the ticket.

Thank you!