we recently upgraded our Icinga2 server to Debian Buster; Icinga is installed from Debian packages, so that got upgraded as well. Both the Web and Monitoring modules are now version 2.6.2.
Since the upgrade, a TLS certificate check to an older webserver (sadly running on Ubuntu 12.04 - not under our control) fails. The server supports TLS up to version 1.2, according to the ssllabs.com SSL test.
Icinga throws the following error:
CRITICAL - Cannot make SSL connection. 22466919016256:error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type:../ssl/t1_lib.c:1110:
I assumed that was because OpenSSL wouldn’t accept the servers old TLS version / crypto algorithms. However, calling check_http directly with the hostname and the --ssl option exits with “OK”, wget doesn’t complain either.
Now what I would really like is a way to read the check command that Icinga actually runs, with expanded variables etc., so I could further troubleshoot why and where this error occurs. Does anyone have an easy solution to that, or maybe another idea what the problem could be?
Any help is much appreciated.