Big update on this and solution *nohack* thanks to Mr. Rob Stradling at openssl who gave me a very important hint in my brainstorming session.
So how do you check a host with SNI with openssl ? like this :
> openssl s_client -connect www.example.com:443 -servername www.example.com
works perfectly. And this made me think.
now back to the icinga1/2/nagios/etc check_http execution.
this is the correct way to use the command to check a webhost with sni
> check_http -H www.example.com -S --sni
(by default it used -I as parameter and that's why it failed)
> HTTP OK: HTTP/1.1 200 OK - 13667 bytes in 1.031 second response time
> |time=1.031097s;;;0.000000 size=13667B;;;0
Now, -H stands for vhost but i guess in the context of sni it's somewhat
the same thing tho the documentation should be updated.
Here is a host object definition for such a check
sequence from hosts.conf
====
[...]
object Host www.example.com {
address www.example.com
vars.http_vhost = "www.example.com"
vars.http_sni = "true"
vars.server_type = "Web Servers"
vars[...] # any other required on-setup vars
}
[...]
and the check is simple .
sequence from a customservicechecks.conf *justanexamplename*
====
[...]
apply Service "https" {
import "generic-service"
check_command = "http"
vars.http_ssl = "true"
assign where host.vars.server_type == "Web Servers"
}
[...]
Now i don't know about nagios 1/2/3/4, this is icinga2 syntax but this
should be adaptable to nagios configs.
Yay and big thanks to Mr. Rob Stradling at openssl who (although
unrelated to nagios/icinga) gave me a very important hint.
Rock on \m/
On 14-Sep-15 11:44 PM, Horatiu N wrote:
> For some reason *suggested by cloudflare support as a lack of sni
> support in my app* whenever i try to monitor https availability on a
> website using cloudflare i get this error all the time
>
>> CRITICAL - Cannot make SSL connection.
>>
>> 47521318531152:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
>> alert internal error:s23_clnt.c:770:
>
> Enabling vars.http_sni = "true" in the host declaration has no effect
> and the debug.log clearly states plugin using the --sni flag
>
>> Running command '/usr/lib/nagios/plugins/check_http' '--sni' '-A'
>> 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0'
>> '-I' '<target>' '-S' '-s' 'UP': PID 4436
>
> > notice/Process: PID 4436 ('/usr/lib/nagios/plugins/check_http'
> '--sni' '-A' 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0)
> Gecko/20100101 Firefox/40.0' '-I' '<target>' '-S' '-s' 'UP') terminated
> with exit code 2
>
> Don't mind the useragent. That's there for other purposes.
>
> Any hints on this ? i've sent an email to whoever manages the debian
> monitoring-plugins metapackage also and if it can be 'fixed' i will post
> an update. It's possible i'll have to email the devs at openssl since
> issuing a
> openssl s_client -connect <target>:443 gives the same error.
>
> PS: some suggested that this is having to do with webservers no longer
> accepting SSLV1/2/3 and tls V1/2 and many ciphers related since they
> were proven insecure. either way, can't monitor the websites using icinga2.
>
>
>
> _______________________________________________
> icinga-users mailing list
> icinga-users@lists.icinga.org
> https://lists.icinga.org/mailman/listinfo/icinga-users
>
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ icinga-users mailing list icinga-users@lists.icinga.org https://lists.icinga.org/mailman/listinfo/icinga-users
