Issue with TCP test for HTTPS

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with TCP test for HTTPS

Guillaume François
Hello,

I'm using the last version of Monit 5.25.3 on a CentOS fully upgraded but since some updates I'm having an issue with this test on Apache HTTPD

if failed port 443 protocol https with timeout 15 seconds for 3 times within 5 cycles then alert

raising error:

[CEST Jul  3 15:05:00] warning  : 'apache-ns353666-prod' failed protocol test [HTTP] at [localhost]:443 [TCP/IP TLS] -- SSL server certificate verification error: unable to get local issuer certificate

I use Monit binaries from the website and not the distribution packages (https://mmonit.com/monit/dist/binary/5.25.3/monit-5.25.3-linux-x64.tar.gz)
Also openssl version from OS is "OpenSSL 1.0.2k-fips  26 Jan 2017" but it should be an issue as openssl from with the binaries if I'm not wrong.

Do anyone have some clue how to make it work again ?

Regards.

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Issue with TCP test for HTTPS

David Jones
We need more information to help.  Can you check the same thing using curl or an NRPE plugin like check_http?  There could be many things going on there like SNI, TLS verification, no CA file, Apache virtual hosts, IP bindings, etc.  If you have a browser on that server, try hitting the same URL.  If you don't then try elinks or a text-based browser and see what it says when hitting that URL.  Certs aren't going to match https://localhost so VERIFY DISABLE must be set.



From: monit-general <monit-general-bounces+djones=[hidden email]> on behalf of Guillaume François <[hidden email]>
Sent: Wednesday, July 3, 2019 8:16 AM
To: This is the general mailing list for monit
Subject: Issue with TCP test for HTTPS
 
Hello,

I'm using the last version of Monit 5.25.3 on a CentOS fully upgraded but since some updates I'm having an issue with this test on Apache HTTPD

if failed port 443 protocol https with timeout 15 seconds for 3 times within 5 cycles then alert

raising error:

[CEST Jul  3 15:05:00] warning  : 'apache-ns353666-prod' failed protocol test [HTTP] at [localhost]:443 [TCP/IP TLS] -- SSL server certificate verification error: unable to get local issuer certificate

I use Monit binaries from the website and not the distribution packages (https://mmonit.com/monit/dist/binary/5.25.3/monit-5.25.3-linux-x64.tar.gz)
Also openssl version from OS is "OpenSSL 1.0.2k-fips  26 Jan 2017" but it should be an issue as openssl from with the binaries if I'm not wrong.

Do anyone have some clue how to make it work again ?

Regards.

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general
Reply | Threaded
Open this post in threaded view
|

Re: Issue with TCP test for HTTPS

Lutz Mader
In reply to this post by Guillaume François
Hello Guillaume,
the "unable to get local issuer certificate" error message applies to
the system sending the request (and no the server receiving the request).

Check the pem file used by monit, is the certificate used to connect to
the apache available.

Set the "SSL Option" use "verify" with "disable" to ignore the local
certificate check.
See https://www.mmonit.com/monit/documentation/monit.html

Or disable the check for your test only.

if failed port 443 protocol https with ssl options {verify: disable}
then alert

A suggestion only,
but not tested,
Lutz

--
To unsubscribe:
https://lists.nongnu.org/mailman/listinfo/monit-general