centreon-plugins icon indicating copy to clipboard operation
centreon-plugins copied to clipboard
verified publisher icon centreon

Use of hostname and http-peer-addr (or not, and when ?) in apps::protocols::x509::plugin

Open Hellnino18 opened this issue 3 years ago • 8 comments

Hi,

I'm switching from centreon-plugins version 20191219 to 20220616, and I have a question/problem with my certificate check.

I'm not sure how to interpret the plugin help about http-peer-addr in addition with hostname. Let's take an example.

I have a load balancer A (hostname toto.domain.tld) in front of my application B (url : myappli.domain.tld). To check the certificate validity I wan to use :

./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --hostname=toto.domain.tld --port=443 --http-peer-addr=myappli.domain.tld --timeout=30 --warning-status='%{expiration} < 60' --critical-status='%{expiration} < 42' --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" --debug

I got :

OK: Certificate for 'myappli.domain.tld' expires in '91' days [2022-11-10T10:36:04Z] - Issuer: '/DC=bla/DC=bla/CN=blabla'

Hoora this is what I want, but with the debug I see that :

======> request send GET https://toto.domain.tld:443/ User-Agent: centreon::plugins::backend::http::useragent

======> response done HTTP/1.1 404 Not Found Connection: keep-alive Date: Wed, 10 Aug 2022 15:13:54 GMT Server: nginx Vary: Accept-Encoding Content-Length: 146 Content-Type: text/html Client-Date: Wed, 10 Aug 2022 15:13:54 GMT Client-Peer: 10.194.10.160:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: ... Client-SSL-Cert-Subject: ... Client-SSL-Cipher: ... Client-SSL-Socket-Class: IO::Socket::SSL Title: 404 Not Found

I don't understand why the GET is on https://toto.domain.tld:443/ and not https://myappli.domain.tld:443/

And for another application C (url myappli2.domain.tld) on the host D (hostname : mysuperserver.domain.tld), without load balancer, the plugin is not working if I use http-peer-addr :

./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --hostname=mysuperserver.domain.tld --port=443 --http-peer-addr=myappli2.domain.tld --timeout=30 --warning-status='%{expiration} < 60' --critical-status='%{expiration} < 42' --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" --debug

==> UNKNOWN: Bad Request

If I don't use http-peer-addr :

./centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --hostname=mysuperserver.domain.tld --port=443 --timeout=30 --warning-status='%{expiration} < 60' --critical-status='%{expiration} < 42' --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" --debug

==> OK: Certificate for 'myappli2.domain.tld' expires in '91' days [2022-11-10T10:36:04Z] - Issuer: '/DC=bla/DC=bla/CN=blabla'

Am I using the plugin right ?

Thanks for your help.

Best,

Hellnino18 avatar Aug 10 '22 15:08 Hellnino18

--http-peer-addr allowed to override the tcp connection address (by default we use --hostname option). But the hostname is kept in the HTTP protocol.

garnier-quentin avatar Aug 10 '22 15:08 garnier-quentin

So, if hostname is the good remote, we don't need http-peer-addr ? (i'm sorry, I don't really understand the purpose to override the tcp connection address rather tha change the hostname parameter directly) ?

So if I have a reverse proxy, with 3 applications (A, B, C) I need to pass on my hostname the reverse proxy address and I need to add a Host Header to check the good URL ?

With the second example above (same server, different name in http-peer-addr and hostname, but same IP), why the plugin said Bad request ?

And on the first example, why 404 error event if I have the good return in the plugin ?

Sorry and thanks for your answers.

Hellnino18 avatar Aug 10 '22 15:08 Hellnino18

It can happen if the poller doesn't resolve the hostname.

I don't know for the Bad request. It can resolve myappli2.domain.tld ?

The plugin test the certificate (we don't care about http status code)

garnier-quentin avatar Aug 10 '22 15:08 garnier-quentin

Yes it can resolve myappli2.domain.tld

Hellnino18 avatar Aug 11 '22 07:08 Hellnino18

What I don't understand, with 20191219 version, I used that command :

/usr/lib/nagios/plugins/centreon-plugins-20191219/centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=validity --validity-mode=expiration --hostname=HOSTNAME_REVERSE_PROXY --port=443 --servername=VHOST_ON_MY_REVERSE_PROXY --timeout=30 --warning-date=60: --critical-date=42: --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE"

==> This works like I want to !

If I replace values with the 20220616, the same doesn't work : /usr/lib/nagios/plugins/centreon-plugins-20220616/centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode=https --hostname=HOSTNAME_REVERSE_PROXY --port=443 --timeout=30 --warning-status='%{expiration} < 60' --critical-status='%{expiration} < 42' --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" --insecure --http-peer-addr=VHOST_ON_MY_REVERSE_PROXY

==> It doesn't works. I want to connect to HOSTNAME_REVERSE_PROXY to test the vhost : VHOST_ON_MY_REVERSE_PROXY (the first example do that)

Hellnino18 avatar Aug 11 '22 08:08 Hellnino18

To have the same thing, use the custommode=tcp

garnier-quentin avatar Aug 11 '22 08:08 garnier-quentin

Ok it works thanks. But why ? lol

Sorry for all those questions, but I would like to understand when use tcp or https. Actually I use tcp for ldaps check and it's okay. But for a http request, it sounds normal to use https curtommode ?

Hellnino18 avatar Aug 11 '22 09:08 Hellnino18

It depends. https is quite useful if you want to transit through a proxy for example.

garnier-quentin avatar Aug 11 '22 09:08 garnier-quentin

Is it ok for you ? Or you need more details ?

garnier-quentin avatar Aug 17 '22 08:08 garnier-quentin