Check ssl version with command check_http FAILS

guillermogn · September 27, 2021, 9:26am

Hello,

We have installed a Icinga Web 2.8.2 product under Ubuntu 18.04.5 LTS server.

When I execute these commands:
/usr/lib/nagios/plugins/check_http --ssl -I my_web_server -t 30
/usr/lib/nagios/plugins/check_http --ssl=1.2 -I my_web_server -t 30
/usr/lib/nagios/plugins/check_http --ssl -S1.2 -I my_web_server -t 30
/usr/lib/nagios/plugins/check_http -S1.2 -I my_web_server -t 30

I get:
HTTP OK: HTTP/1.1 200 OK - 345630 bytes in 0.011 second response time |time=0.010609s;;;0.000000;30.000000 size=345630B;;;0

Perfect, all right!

But ICINGA, when monitoring, is launching this command:

/usr/lib/nagios/plugins/check_http -S 1.2 -I my_web_server -t 30
(there is a space between “-S” parameter and ssl version “1.2”)

/usr/lib/nagios/plugins/check_http -S 1.2 -I my_web_server -t 30
and it FAILS:
HTTP WARNING: HTTP/1.1 400 Bad Request - 513 bytes in 0.008 second response time |time=0.007763s;;;0.000000;30.000000 size=513B;;;0

However, this is ok:
/usr/lib/nagios/plugins/check_http -S1.2 -I my_web_server -t 30

¿How can resolve this difficulty?

/etc/icinga2/hostsservices.conf:

object Service “Servicio HTTP: SSL/TLS version” {
import “generic-service”
host_name = “odcggn”
check_command = “check_http”

vars.notification.mail.users = [ “guigarnu” ]
vars.notification.period = “laboral”
check_period = “laboral”
vars.moncau = “0”
vars.tag = “ODC_SSL_VERSION”
check_interval = 1h + Math.random() * 30
retry_interval = 10m
max_check_attempts = 3
enable_flapping = 1

vars.tls = “1.2”
vars.ssl = “true”
vars.host_name = “my_web_server”
}

/etc/icinga2/conf.d/commands.conf:
…
object CheckCommand “check_http” {
import “plugin-check-command”
command = [ PluginDir + “/check_http” ]

timeout = 30

arguments = {

"-I" = {
    value = "$host_name$"
    order = 1
 }
"-u" = {
    value = "$url$"
    order = 2
 }
"-p" = {
    value = "$port$"
    order = 3
 }
"-H" = {
    value = "$virtual_host$"
    order = 4
 }
"-S" = {
    value = "$tls$"
    order = 5
 }
"-r" = {
    value = "$expected_regexp$"
    order = 6
 }
"-t" = {
    value = "$timeout$"
    order = 7
 }
"-e" = {
    value = "$expected$"
    order = 8
 }

"--ssl" = {
    set_if = "$ssl$"
 }
"-N" = {
    set_if = "$nobody$"
 }

}

}
…

http_version: 2.2
/usr/lib/nagios/plugins/check_http --version

check_http v2.2 (monitoring-plugins 2.2)

Any idea?
Thank you

leeclemens · September 27, 2021, 1:02pm

The CheckCommand included with Icinga2 solves this by using a series of set_if vars with various values for the argument (e.g. -S1.1). You may want to consider using the ones that are already included.

From the icinga2-common rpm: /usr/share/icinga2/include/command-plugins.conf

guillermogn · October 6, 2021, 7:55am

I have defined this command in /etc/icinga2/conf.d/commands.conf:

object CheckCommand “check_http” {
import “plugin-check-command”
command = [ PluginDir + “/check_http” ]

timeout = 30

arguments = {

"-I" = {
    value = "$host_name$"
    order = 1
}
"-u" = {
    value = "$url$"
    order = 2
}
"-p" = {
    value = "$port$"
    order = 3
}
"-H" = {
    value = "$virtual_host$"
    order = 4
}
"-S1.2" = {
    set_if = {{ ( "$tls$" == "1.2" ) }}
    description = "Connect via SSL version TLSv1.2"
}

}
}

hostsservices.conf configuration:
object Service “Servicio HTTP: SSL/TLS version” {
import “generic-service”
host_name = “odcggn”
check_command = “check_http”

vars.notification.mail.users = [ “john” ]
vars.notification.period = “laboral”
check_period = “laboral”
vars.moncau = “0”
vars.tag = “ODC_SSL_VERSION”
check_interval = 4m + Math.random() * 30
retry_interval = 1m
max_check_attempts = 3
enable_flapping = 1

vars.ssl = “true”
vars.host_name = “my_IP”
vars.tls = “1.2”

}

However icinga launch the command:
check_http -I my_ip, without “-S1.2” argument.

I think I’m wrong about syntax of parameters in command.conf.

I have probed too the next:
“-S1.2” = {
set_if = {{ if ( “$tls$” == “1.2” ) { return 1 } else { return 0 } }}
description = “Connect via SSL version TLSv1.2”
}

¿What is wrong?
Thank you

guillermogn · October 6, 2021, 11:18am

Solved.
Using la funcion “macro” resolved my problem.

For example:
object CheckCommand “check_http” {
import “plugin-check-command”
command = [ PluginDir + “/check_http” ]

timeout = 30

arguments = {

"-I" = {
    value = "$host_name$"
    order = 1
}
"-u" = {
    value = "$url$"
    order = 2
}
"-p" = {
    value = "$port$"
    order = 3
}
"-H" = {
    value = "$virtual_host$"
    order = 4
}
"-S1" = {
    set_if = {{ ( macro("$tls$") == "1" ) }}
    description = "Connect via SSL version TLSv1"
    order = 5
}
"-S1.1" = {
    set_if = {{ ( macro("$tls$") == "1.1" ) }}
    description = "Connect via SSL version TLSv1.1"
    order = 6
}
"-S1.2" = {
    set_if = {{ if ( macro("$tls$") == "1.2" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version TLSv1.2"
    order = 7
}
"-S1.3" = {
    set_if = {{ if ( macro("$tls$") == "1.3" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version TLSv1.3"
    order = 8
}
"-S2" = {
    set_if = {{ if ( macro("$tls$") == "2" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version SSLv2"
    order = 9
}
"-S3" = {
    set_if = {{ if ( macro("$tls$") == "3" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version SSLv3"
    order = 10
}
"-S1+" = {
    set_if = {{ if ( macro("$tls$") == "1+" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version TLSv1 and newer"
    order = 11
}
"-S1.1+" = {
    set_if = {{ if ( macro("$tls$") == "1.1+" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version TLSv1.1 and newer"
    order = 12
}
"-S1.2+" = {
    set_if = {{ if ( macro("$tls$") == "1.2+" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version TLSv1.2 and newer"
    order = 13
}
"-S1.3+" = {
    set_if = {{ if ( macro("$tls$") == "1.3+" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version TLSv1.3 and newer"
    order = 14
}
"-S2+" = {
    set_if = {{ if ( macro("$tls$") == "2+" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version SSLv2 and newer"
    order = 15
}
"-S3+" = {
    set_if = {{ if ( macro("$tls$") == "3+" ) { return 1 } else { return 0 } }}
    description = "Connect via SSL version SSLv3 and newer"
    order = 16
}
"-r" = {
    value = "$expected_regexp$"
    order = 17
 }
"-t" = {
    value = "$timeout$"
    order = 18
 }
"-e" = {
    value = "$expected$"
    order = 19
 }

"--ssl" = {
    set_if = "$ssl$"
    order = 20
 }
"-N" = {
    set_if = "$nobody$"
    order = 21
 }

}
}

My problem was about resolving vars.
Thank you.

William

guillermogn · October 6, 2021, 11:22am

Thank you for indicating me the right path.
Thanks