search

centreon / centreon-plugins

Collection of standard plugins to discover and gather cloud-to-edge metrics and status across your whole IT infrastructure.
https://www.centreon.com
Apache License 2.0
311 stars 275 forks source link

X509 check in http mode depends on HTTP status code #4131

Closed mayrstefan closed 1 year ago

mayrstefan commented 1 year ago

Bug

centreon_protocol_x509.pl responds with status UNKNOWN if the application answers with a 503 service unavailable. This is irrelevant to the certificate status that should be checked.

Proposed solution

Ignore the status code in the HTTP response

Version

garnier-quentin commented 1 year ago

-no-follow option solved your issue ?

mayrstefan commented 1 year ago

No, this are two independant problems. We currently see this issue with a L7 loadbalancer (e.g. haproxy) with all backends down. The certificate is fine (still valid) but because the loadbalancer responds with HTTP 503 service unavailable the check commands return with UNKNOWN instead of an OK as I would have expected.

garnier-quentin commented 1 year ago

Which command do you use ? Because i don't reproduce that error with protocol x509

mayrstefan commented 1 year ago

Example

[root@centreon]:~ # /usr/lib/centreon/plugins/centreon_protocol_x509.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode='https' --hostname='haproxy' --port=443 --warning-status='%{expiration} < 15' --critical-status='%{expiration} < 7' --hostname=demo.example.com --verbose
UNKNOWN: Service Unavailable

Same with debug flag

[root@centreon]:~ # /usr/lib/centreon/plugins/centreon_protocol_x509.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode='https' --hostname='haproxy' --port=443 --warning-status='%{expiration} < 15' --critical-status='%{expiration} < 7' --hostname=demo.example.com --verbose --debug
UNKNOWN: Service Unavailable
======> request send
GET https://demo.example.com:443/
User-Agent: centreon::plugins::backend::http::useragent

======> response done
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Length: 107
Content-Type: text/html
Client-Date: Tue, 17 Jan 2023 08:58:45 GMT
Client-Peer: 192.168.1.23:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /DC=com/DC=example/CN=ACME CA
Client-SSL-Cert-Subject: /C=DE/ST=Bayern/L=Muenchen/O=ACME/CN=demo.example.com
Client-SSL-Cipher: ECDHE-RSA-AES256-GCM-SHA384
Client-SSL-Socket-Class: IO::Socket::SSL

<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

as we can see in the debug output we got certificate (Client-SSL-*) but it is not fully checked because of the http status code

garnier-quentin commented 1 year ago

I cant reproduce it. I need an internet website.

Could you try with --http-backend=curl ?

mayrstefan commented 1 year ago

@garnier-quentin what is missing to reproduce it? A webpage with a 503 status code like https://httpstat.us/503?

mayrstefan commented 1 year ago

As requested with the curl backend

[root@centreon]:~ # /usr/lib/centreon/plugins/centreon_protocol_x509.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode='https' --port=443 --warning-status='%{expiration} < 15' --critical-status='%{expiration} < 7' --hostname=demo.example.com --verbose --debug --http-backend=curl
UNKNOWN: curl setopt error: 'An unknown option was passed in to libcurl'.

To make things worse I also tried tcp-mode

[root@centreon]:~ # /usr/lib/centreon/plugins/centreon_protocol_x509.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode='tcp' --port=443 --warning-status='%{expiration} < 15' --critical-status='%{expiration} < 7' --hostname=demo.example.com --verbose --debug
*******************************************************************
 Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
 is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
 possibly with SSL_ca_file|SSL_ca_path for verification.
 If you really don't want to verify the certificate and keep the
 connection open to Man-In-The-Middle attacks please set
 SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
  at /usr/lib/centreon/plugins/centreon_protocol_x509.pl line 531.
UNKNOWN: SSL error: SSL wants a read first

I have no idea why the default for a x509 check should be SSL_VERIFY_NONE. Anyways, tested also with SSL_VERIFY_PEER

[root@centreon]:~ # /usr/lib/centreon/plugins/centreon_protocol_x509.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode='tcp' --port=443 --warning-status='%{expiration} < 15' --critical-status='%{expiration} < 7' --hostname=demo.example.com --verbose --debug --ssl-opt="SSL_verify_mode => SSL_VERIFY_PEER"
UNKNOWN: Error creating SSL socket: , SSL error: IO::Socket::IP configuration failed error:140E0197:SSL routines:SSL_shutdown:shutdown while in init

Maybe the next issue when we are done with this one.

garnier-quentin commented 1 year ago

It works for me:

perl centreon_plugins.pl --plugin=apps::protocols::x509::plugin --mode=certificate --custommode='https' --hostname='haproxy' --port=443 --warning-status='%{expiration} < 15' --critical-status='%{expiration} < 7' --hostname=httpstat.us  --urlpath=/503 --verbose
OK: Certificate for 'httpstat.us' expires in '178' days [2023-08-04T23:59:59Z] - Issuer: '/C=US/O=DigiCert, Inc./CN=GeoTrust Global TLS RSA4096 SHA256 2022 CA1' 
Alternative subject names: httpstat.us.
mayrstefan commented 1 year ago

Very strange: 12 days ago the non-working check we had changed from unknown to ok and now I can not reproduce it.

garnier-quentin commented 1 year ago

If you reproduce it, please comment it. I will check it