Hi,
Am 15.09.2015 um 17:51 schrieb Horatiu N:
Big update on this and solution *nohack* thanks to Mr. Rob Stradling at
openssl who gave me a very important hint in my brainstorming session.
So how do you check a host with SNI with openssl ? like this :
openssl s_client -connect www.example.com:443 -servername www.example.com
works perfectly. And this made me think.
now back to the icinga1/2/nagios/etc check_http execution.
this is the correct way to use the command to check a webhost with sni
check_http -H www.example.com -S --sni
(by default it used -I as parameter and that's why it failed)
HTTP OK: HTTP/1.1 200 OK - 13667 bytes in 1.031 second response time
|time=1.031097s;;;0.000000 size=13667B;;;0
Now, -H stands for vhost but i guess in the context of sni it's somewhat
the same thing tho the documentation should be updated.
Here is a host object definition for such a check
sequence from hosts.conf
====
[...]
object Host www.example.com {
address www.example.com
vars.http_vhost = "www.example.com"
vars.http_sni = "true"
vars.server_type = "Web Servers"
vars[...] # any other required on-setup vars
}
[...]
and the check is simple .
sequence from a customservicechecks.conf *justanexamplename*
====
[...]
apply Service "https" {
import "generic-service"
check_command = "http"
vars.http_ssl = "true"
assign where host.vars.server_type == "Web Servers"
}
[...]
Now i don't know about nagios 1/2/3/4, this is icinga2 syntax but this
should be adaptable to nagios configs.
Yay and big thanks to Mr. Rob Stradling at openssl who (although
unrelated to nagios/icinga) gave me a very important hint.
Rock on \m/
Could provide your example in Markdown as git patch for the
documentation? There's probably a general "how to monitor service X"
section missing, and I'd be glad if you could help start working on it :)
Details on how you can start are noted in the wiki:
https://wiki.icinga.org/display/community/Update+the+Icinga+2+documentation
Kind regards,
Michael
On 14-Sep-15 11:44 PM, Horatiu N wrote:
For some reason *suggested by cloudflare support as a lack of sni
support in my app* whenever i try to monitor https availability on a
website using cloudflare i get this error all the time
CRITICAL - Cannot make SSL connection.
47521318531152:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
internal error:s23_clnt.c:770:
Enabling vars.http_sni = "true" in the host declaration has no effect
and the debug.log clearly states plugin using the --sni flag
Running command '/usr/lib/nagios/plugins/check_http' '--sni' '-A' 'Mozilla/5.0
(Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0' '-I' '<target>'
'-S' '-s' 'UP': PID 4436
> notice/Process: PID 4436 ('/usr/lib/nagios/plugins/check_http'
'--sni' '-A' 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0' '-I' '<target>' '-S' '-s' 'UP') terminated
with exit code 2
Don't mind the useragent. That's there for other purposes.
Any hints on this ? i've sent an email to whoever manages the debian
monitoring-plugins metapackage also and if it can be 'fixed' i will post
an update. It's possible i'll have to email the devs at openssl since
issuing a
openssl s_client -connect <target>:443 gives the same error.
PS: some suggested that this is having to do with webservers no longer
accepting SSLV1/2/3 and tls V1/2 and many ciphers related since they
were proven insecure. either way, can't monitor the websites using icinga2.
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
--
Michael Friedrich, DI (FH)
Senior Developer
NETWAYS GmbH | Deutschherrnstr. 15-19 | D-90429 Nuernberg
Tel: +49 911 92885-0 | Fax: +49 911 92885-77
GF: Julian Hein, Bernd Erk | AG Nuernberg HRB18461
http://www.netways.de | michael.friedr...@netways.de
** OSBConf 2015 - September - osbconf.org **
** OSMC 2015 - November - netways.de/osmc **
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
