influxdata / telegraf

Agent for collecting, processing, aggregating, and writing metrics, logs, and other arbitrary data.
https://influxdata.com/telegraf
MIT License
14.63k stars 5.58k forks source link

[inputs.http_response] tls handshake error #16002

Closed llamafilm closed 2 weeks ago

llamafilm commented 2 weeks ago

Relevant telegraf.conf

[[inputs.http_response]]
  urls = ["https://10.37.155.81:43744/pages/logpage.html"]
  response_timeout = "5s"
  response_body_max_size = "2000"
  response_status_code = 200
  insecure_skip_verify = true

Logs from Telegraf

% telegraf --test --config barco-debug.conf --debug
2024-10-11T00:40:26Z I! Loading config: barco-debug.conf
2024-10-11T00:40:26Z I! Starting Telegraf 1.32.0 brought to you by InfluxData the makers of InfluxDB
2024-10-11T00:40:26Z I! Available plugins: 235 inputs, 9 aggregators, 32 processors, 26 parsers, 62 outputs, 5 secret-stores
2024-10-11T00:40:26Z I! Loaded inputs: http_response
2024-10-11T00:40:26Z I! Loaded aggregators:
2024-10-11T00:40:26Z I! Loaded processors:
2024-10-11T00:40:26Z I! Loaded secretstores:
2024-10-11T00:40:26Z W! Outputs are not used in testing mode!
2024-10-11T00:40:26Z I! Tags enabled: host=Elliott-M2-4.local
2024-10-11T00:40:26Z D! [agent] Initializing plugins
2024-10-11T00:40:26Z D! [agent] Starting service inputs
2024-10-11T00:40:26Z D! [inputs.http_response] Network error while polling https://10.37.155.81:43744/pages/logpage.html: Get "https://10.37.155.81:43744/pages/logpage.html": remote error: tls: handshake failure
> http_response,host=Elliott-M2-4.local,method=GET,result=connection_failed,server=https://10.37.155.81:43744/pages/logpage.html result_code=3i,result_type="connection_failed" 1728607227000000000
2024-10-11T00:40:26Z D! [agent] Stopping service inputs
2024-10-11T00:40:26Z D! [agent] Input channel closed
2024-10-11T00:40:26Z D! [agent] Stopped Successfully

System info

Telegraf 1.32.0, MacOS Ventura

Expected behavior

This server has an invalid TLS certificate. So I expect that with insecure_skip_verify=true I should get a successful 200 response.

Actual behavior

TLS error

Additional info

From the same system, curl works fine with the --insecure option.

% curl -sv --insecure https://10.37.155.81:43744/pages/logpage.html
*   Trying 10.37.155.81:43744...
* Connected to 10.37.155.81 (10.37.155.81) port 43744
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-SHA / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=HTTPS.Barco-ICMP.9731197995; dnQualifier=DdPyEhVcDdtC8u+jYnjz456JinI=; O=ca.barco-icmp-https.com; OU=ra.korpki03.ca.barco-icmp-https.com
*  start date: Jun  9 00:00:00 2013 GMT
*  expire date: Jun 10 23:59:59 2043 GMT
*  issuer: CN=.ra.korpki03.ca.barco-icmp-https.com; OU=ra.korpki03.ca.barco-icmp-https.com; dnQualifier=bz080W2Mgxw1w0xIbreJAfnpKB0=; O=ca.barco-icmp-https.com
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* using HTTP/1.x
> GET /pages/logpage.html HTTP/1.1
> Host: 10.37.155.81:43744
> User-Agent: curl/8.7.1
> Accept: */*
> 
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/html
< ETag: "3088016928"
< Last-Modified: Thu, 04 Jan 2024 16:29:26 GMT
< Content-Length: 492
< Access-Control-Allow-Origin: *
< Accept-Ranges: bytes
< Date: Fri, 11 Oct 2024 00:47:08 GMT
< Server: lighttpd/1.4.72
< 
srebhan commented 2 weeks ago

@llamafilm I guess the issue might be that the server uses an insecure cipher suite which recently is blocked by default be Golang. Try setting tls_cipher_suites = ["all"] for the plugin!

llamafilm commented 2 weeks ago

Ok thank you! That works. I didn't know this doc existed before but I just found https://github.com/influxdata/telegraf/blob/master/docs/TLS.md.