Service - check_ssl_cert - librenms different results vs CLI, same parameters & binary on-disk used,

BloodyIron · 24 February 2019 23:00

Description:

I’m trying to get LibreNMS to monitor the cert expiry against an nginx-backed reverse-proxy server, which serves multiple domains. When I issue the same commands at the CLI, as are passed via the Services python script, I get different certs passed back to me, so the results are different for what seems to be an identical command. At this point, I am out of ideas as to where the fault could be, so I really need help here.

Validate:

Component	Version
LibreNMS	1.48.1-78-g5d3a28683
DB Schema	2019_02_10_220000_add_dates_to_fdb (132)
PHP	7.2.10-0ubuntu0.18.04.1
MySQL	5.7.25-0ubuntu0.18.04.2
RRDTool	1.7.0
SNMP	NET-SNMP 5.7.3

====================================

[OK] Composer Version: 1.8.4
[OK] Dependencies up-to-date.
[OK] Database connection successful
[OK] Database schema correct

check_ssl_cert version info:

:/usr/lib/nagios/plugins# ./check_ssl_cert -V
check_ssl_cert version 1.81.0

CLI Command “/usr/lib/nagios/plugins/check_ssl_cert -H targetserver -A --sni www.domain2.com” results:

SSL_CERT OK - x509 certificate ‘*.domain2.com’ from ‘COMODO RSA Domain Validation Secure Server CA’ valid until Jun 14 23:59:59 2019 GMT (expires in 110 days)|days=110;;;;

LibreNMS “./check-services.php -d” (ran as librenms user) results:

Nagios Service - 9
Request: ‘/usr/lib/nagios/plugins/check_ssl_cert’ ‘-H’ ‘targetserver’ ‘-A’ ‘–sni’ ‘www.domain2.com’
Perf Data - DS: days, Value: 89, UOM:
Response: SSL_CERT OK - x509 certificate ‘domain1.com’ from ‘Let’s Encrypt Authority X3’ valid until May 25 17:44:44 2019 GMT (expires in 89 days)
Service DS: {
“days”: “”
}

Help!

So yeah, at this point, I don’t understand why I’m getting different behaviour here. It looks literally identical to me. Halp! D:

BloodyIron · 28 February 2019 05:08

Anyone? I really need to get this sorted D:

BloodyIron · 4 March 2019 00:39

bump 10char bump

murrant · 4 March 2019 18:00

It probably has to do with the escaping the script does. (notice the quotes) Try to remove those to pinpoint the issue.

BloodyIron · 4 March 2019 19:27

How do you propose I achieve removing the quotes? I’m not using quotes in the Service configuration via the webGUI. So, not 100% sure what you’re proposing here. Can you clarify?

murrant · 4 March 2019 19:28

Run this command by hand:

'/usr/lib/nagios/plugins/check_ssl_cert' '-H' 'targetserver' '-A' '–sni' 'www.domain2.com'

When you first run it you should get the same output the poller gets.

BloodyIron · 4 March 2019 19:34

By the way, I’d like to clarify the service script actually uses “–sni” (as in two dashes) but I think the forum may have combined it into one when I posted.

When I run the above command at the CLI, as librenms user, it returns the correct cert. I copied your text and replaced with the appropriate variables.

I then re-ran the services python script in debug again, and then it returned the wrong cert.

So now I’m even more confused! @_@

murrant · 4 March 2019 19:37

Don’t run the command I posted. Copy and paste the command from the script debug. You or I are probably unknowingly correcting the error.

BloodyIron · 4 March 2019 19:41

OMFG GUESS WHAT?

TYPO.

www.domian.com equivalent. GO ME

Thanks for your patience! lolool sorry D: