Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

Running a local check in remote host from Nagios XI

https://support.nagios.com/forum/viewtopic.php?t=66085

Page 1 of 1

Running a local check in remote host from Nagios XI

Posted: Thu Sep 28, 2023 9:07 am
by Alongaks
Hello,

I am trying to run a check of a local certificate file - not doing an SSL/HTTPS/443 check on an active port. The check script in the remote machine is using openssl to validate the certificate lifespan. Below is the script and it works as expected when run as root locally in the target machine.

Code: Select all

#!/bin/bash

CERT="/cert/location/cert.pem"

#WARN_DAYS="$1"
#CRIT_DAYS="$2"

#Nagios wants args...
while getopts ":w:c:" opt; do
  case $opt in
    w)
      WARN_DAYS=$OPTARG
      ;;
    c)
      CRIT_DAYS=$OPTARG
      ;;
    \?)
      echo "Invalid option: -$OPTARG" >&2
      exit 3
      ;;
    :)
      echo "Option -$OPTARG requires an argument." >&2
      exit 3
      ;;
  esac
done

# Calculate when cert expires
DAYS_LEFT=$(( ($(/usr/bin/date -d "$(/usr/bin/openssl x509 -inform pem -in $CERT -enddate -noout | /usr/bin/cut -d= -f 2)" +%s) - $(/usr/bin/date +%s)) / 86400 ))

# Check expiration and output
[ $DAYS_LEFT -le $CRIT_DAYS ] && { echo "CRITICAL: Certificate expires in $DAYS_LEFT days!"; exit 2; }
[ $DAYS_LEFT -le $WARN_DAYS ]  && { echo "WARNING: Certificate expires in $DAYS_LEFT days!"; exit 1; }
echo "OK: Certificate is valid for $DAYS_LEFT more days."
exit 0
If the cert expires in 177 days from now, and I run the script like below, it returns as expected:

Code: Select all

./check_cert.sh -w 178 -c 7
WARNING: Certificate expires in 177 days!
However, if I run this from the Nagios XI host, its not returning correctly. I have the check command as such:

Code: Select all

/usr/bin/ssh -x nagios-user@$HOSTADDRESS$ "/var/lib/nagios-user/check_cert.sh -w $ARG1$ -c $ARG2$" 2>/dev/null
And when I attempt to run a check from Nagios XI:

Code: Select all

$ /usr/bin/ssh -x nagios-user@hostname "/var/lib/nagios-user/check_cert.sh -w 178 -c 7" 2>/dev/null
CRITICAL: Certificate expires in 0 days!
Its like Nagios is not seeing output from the command when it is supposed to run.

Below are permissions on the check script:

Code: Select all

-rwxr-xr-x. 1 nagios-user nagios-user 909 Sep 28 09:51 check_cert.sh
There are many other checks being run from the Nagios host to the same target client, and others without issue. But they are not doing this specific check.

Re: Running a local check in remote host from Nagios XI

Posted: Thu Sep 28, 2023 9:48 am
by Alongaks
May have found the issue.

When running it locally as the nagios-user I'm getting this:

Code: Select all

sudo -u nagios-user /var/lib/nagios-user/check_cert.sh -w 178 -c 7
Can't open /cert/location/cert.pem for reading, Permission denied
140559260428096:error:0200100D:system library:fopen:Permission denied:crypto/bio/bss_file.c:69:fopen('/cert/location/cert.pem,'r')
140559260428096:error:2006D002:BIO routines:BIO_new_file:system lib:crypto/bio/bss_file.c:78:
unable to load certificate
CRITICAL: Certificate expires in 0 days!
Might have to make a copy of the cert file and move it to a location the user can see or set an acl on it... :oops:
All times are UTC-05:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited