Check_ssl_cert problem

Icinga 2
1

Hello. I use icinga2 since 5 years without any problem, but now…I have a server. Debian 12 stable linux, and installed UniFi Network application program (https://community.ui.com/questions/UniFi-Installation-Scripts-or-UniFi-Easy-Update-Script-or-UniFi-Lets-Encrypt-or-UniFi-Easy-Encrypt-/ccbc7530-dd61-40a7-82ec-22b17f027776)
This “generate” webpage: https://abc.domain.com:8443/manage/account/login?redirect=%2Fmanage

I would like to use icinga to check the validity of the ssl cert, but get error:
“SSL_CERT CRITICAL x.x.x.x: Connection refused” on UI. When try on cli, then working fine.
x.x.x.x is the IP of the abc.domain.com. Why show ip and not the domain name? It’s as if you don’t want to connect to the domain, but to the ip, which really throws an error under cl, when use ip, not domain name.
What could be the problem?

Services.conf:

apply Service “ssl-cert” {
import “1day-service”
check_command = “ssl_cert”
vars.ssl_address = “abc.domain.com
vars.ssl_port = 8443
vars.ssl_timeout = 120
vars.ssl_cert_warn = 30
vars.ssl_cert_critical = 10
command_endpoint = host.vars.client_endpoint
assign where match(“ABC”, host.display_name)
}

CLI command:
/usr/lib/nagios/plugins/check_ssl_cert -H abc.domain.com -v -p 8443 -c 10 -w 30

  • Version used (icinga2 --version)
    icinga2 - The Icinga 2 network monitoring daemon (version: r2.13.6-1)

  • Operating System and version
    Debian 12.5

  • Enabled features (icinga2 feature list)
    Enabled features: api checker ido-mysql mainlog notification

  • Icinga Web 2 version and modules (System - About)
    |Icinga Web 2 Version|2.11.4|
    |PHP Version|8.2.7|

Loaded Modules

|classic_theme||0.0.0|
|monitoring||2.11.4|

  • Config validation (icinga2 daemon -C)
    [2024-03-14 16:03:55 +0100] information/cli: Icinga application loader (version: r2.13.6-1)
    [2024-03-14 16:03:55 +0100] information/cli: Loading configuration file(s).
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Committing config item(s).
    [2024-03-14 16:03:55 +0100] information/ApiListener: My API identity: icinga2.telemedia.cc
    [2024-03-14 16:03:55 +0100] warning/ApplyRule: Apply rule ‘routeros_status’ (in /etc/icinga2/zones.d/master/services.conf: 410:1-410:31) for type ‘Service’ does not match anywhere!
    [2024-03-14 16:03:55 +0100] warning/ApplyRule: Apply rule ‘firmwaresw_status’ (in /etc/icinga2/zones.d/master/services.conf: 443:1-443:33) for type ‘Service’ does not match anywhere!
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 NotificationComponent.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 IdoMysqlConnection.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 CheckerComponent.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 5 UserGroups.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 4 TimePeriods.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 4 Users.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 126 Services.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 18 ServiceGroups.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 16 Zones.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 4 NotificationCommands.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 139 Notifications.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 19 Hosts.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 IcingaApplication.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 5 HostGroups.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 14 Endpoints.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 FileLogger.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 ApiUser.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 258 CheckCommands.
    [2024-03-14 16:03:55 +0100] information/ConfigItem: Instantiated 1 ApiListener.
    [2024-03-14 16:03:55 +0100] information/ScriptGlobal: Dumping variables to file ‘/var/cache/icinga2/icinga2.vars’
    [2024-03-14 16:03:55 +0100] information/cli: Finished validating the configuration file(s).
2

I tried from cli to enter an ip, but it still works, so that won’t be the problem. It seems to mishandle the vars.ssl_port function in the GUI

3

It seems like your Service mixed up parts of the ssl Plugin Check Command and the ssl_cert Plugin Check Command.

Maybe you want to change your check_command to ssl and alter ssl_cert_{warn,critical} to ssl_cert_valid_days_{warn,critical}. Otherwise, you could keep the ssl_cert plugin, but then you maybe need to manually install the check_ssl_cert plugin script - which is not part of the monitoring-plugins - and alter the other variables accordingly.

4

Oh my god…What a mistake I made. I not read the manual completely. Thanks a lot!