check_http!--ssl actually checks http

Question

When monitoring the SSL service on a host that runs HTTPS but not HTTP, Icinga warns about a 403 Forbidden return code. But that warning is for HTTP, not HTTPS.

Manually running the check_http command with either -S or --ssl returns a 200 OK code (and a 403 Forbidden response when run just against HTTP).

But the automated service check returns a 403 error with either switch -- check_http!-S or check_http!--ssl.

Icinga does not complain about other SSL hosts monitored using this service check, perhaps because they all run HTTP also.

Icinga uses the Nagios plugins, so I think this is either a Nagios or (more likely) a configuration issue.

How to fix this erroneous report? The SSL service is working on the host.

This is for Icinga 1.7.1-7 running on Debian wheezy. Thanks!

Answer 1

You can't just pass "-S" or "--ssl" as an ARG to a check unless it's specifically written to expect that.

Go look at /etc/nagios-plugins/config/http.cfg, and it should all be clear. The Debian packages ship with over a dozen different check_http commands for varying use cases. You probably want to use check_https or a variant of it.

For background information, see the Macros and how they work docs.

Answer 2

Small addendum to Keith's answer : nowadays, Icinga2 on Debian can include /usr/share/icinga2/include/command-plugins.conf instead of /etc/nagios-plugins, which doesn't automatically duplicate the $HOSTADDRESS$ macro for the -H option.

So check_http ends up querying the default vhost of the hostname's IP, which can silently give unexpected results.

After learning from this mistake, my basic service config. now looks like that :

apply Service "check_https" {
    import "generic-service"

    check_command = "http"
    vars.http_warn_time = 10
    vars.http_critical_time = 50
    vars.http_vhost = "$address$"
    vars.http_ssl = true
    vars.http_sni = true
    vars.sla = "24x7"

    check_interval = 5m
    retry_interval = 2m

    assign where "https-website" in host.groups
}