Nagios won't monitor service with self signed cert (openSuSE 11.3)

Updating my install of OpenSUSE from 11.0 to 11.3 and notice that the Nagios network monitor can no longer probe servers with self signed certs. It appears to be any monitor that used openssl 1.0.0 has an issue. If I install the openssl 0.9.8 libraries and use old plugins linked against it, they work fine. All other plugins give the the following responses.

./check_ldap -H localhost -b o=mycomp -p 636 -T -v
ldap_bind: Can’t contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
Could not bind to the LDAP server

or
./check_http -H localhost -C 10 -v
CRITICAL - Cannot make SSL connection
140116118410920:error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list:t1_lib.c:1467:
140116118410920:error:14092113:SSL routines:SSL3_GET_SERVER_HELLO:serverhello tlsext:s3_clnt.c:946:
CRITICAL - Cannot retrieve server certificate.

I should be getting:

./check_http.old -H localhost -C 10 -v
OK - Certificate will expire on 12/17/2020 20:27.

./check_ldap.old -H localhost -b o=mycomp -p 636 -T -v
LDAP OK - 0.161 seconds response time|time=0.160696s;;;0.000000

I would like to use the native packages and not a custom openSSL + Nagios build or a mixture of monitors copied from the retiring machine onto the new.

Thanks in advance,
-Uriah

retiring machine:
openSUSE 11.0 (i586)
OpenSSL 0.9.8g 19 Oct 2007
nagios-plugins 1.4.11

replacement machine:
openSUSE 11.3 (x86_64)
OpenSSL 1.0.0 29 Mar 2010
nagios-plugins 1.4.14

excuse me if i wrong, but could this be a Nagios problem rather than
an openSUSE one?


DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

What if there were no hypothetical questions?

Nagios got more strict by default. Just edit the command line in the nagios config to not check the cert so strictly.

I have not been able to find any flags of that sort. The CLI switches for the plugins do not appear to have changed between versions. Would you know what flag that is?

If you run the monitoring command by itself with -h on the CLI, it will give you some help about options, e.g.

check_http -h

You need to find the directory where that command is stored, probably /usr/lib/nagios/plugins or something like that and use the full pathname.

Sorry, I don’t have nagios on openSUSE, but other distros so can’t help you with details.

I am not seeing anything in the Nagios or openSSL forums so I wish to make sure it is not something particular to the openSuSE release first.

As I am working with it, I am growing more positive that openSSL 1.0.0 + Nagios is to blame, as I am not getting the same behavior when linking against openSSL 0.9.8. Maybe someone knows of something to put in /etc/ssl/openssl.cnf to get backwards compatability.

What version of openssl do you have on your other distros? Are any of them up to 1.0.x yet, or are they all still 0.9.x?

openssl 0.98 in Debian and CentOS

uriahq wrote:
> Maybe someone knows of something to put in
> /etc/ssl/openssl.cnf to get backwards compatability.

i’m thinking you might find quicker/better answers here:
http://www.nagios.org/support


DenverD
CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

What if there were no hypothetical questions?

You should check if nagios is invoking curl to do the cert check. Maybe curl got more strict and you need to change the command line to be less strict about self-signed certs.