Thank you for providing the path to the check script Thomas. It allowed me to do some additional troubleshooting that identified the issue.
OMD[cama]:~$ ~/lib/nagios/plugins/check_http '-u' '/healthcheck/healthcheck.html' '--ssl' '--extended-perfdata' '-j' 'HEAD' '--sni' '1.2.3.4' 'hostname.domain.com' -v
CRITICAL - Cannot make SSL connection.
140682615199552:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1543:SSL alert number 112
SSL initialized
OMD[cama]:~$ ~/lib/nagios/plugins/check_http '-u' '/healthcheck/healthcheck.html' '--ssl' '--extended-perfdata' '-j' 'HEAD' '--sni' '1.2.3.4' 'hostname.domain.com' -vv
CRITICAL - Cannot make SSL connection.
139730567477056:error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1543:SSL alert number 112
SSL initialized
OMD[cama]:~$ ~/lib/nagios/plugins/check_http '-u' '/healthcheck/healthcheck.html' '--ssl' '--extended-perfdata' '-j' 'HEAD' '--sni' '1.2.3.4' 'uathostname.domain.com' -vv
SSL initialized
HEAD /healthcheck/healthcheck.html HTTP/1.1
User-Agent: check_http/v2.3.2 (monitoring-plugins 2.3.2)
Connection: close
Host: uathostname.domain.com
https://1.2.3.4:443/healthcheck/healthcheck.html is 311 characters
STATUS: HTTP/1.1 200 OK
**** HEADER ****
Content-Length: 3
Content-Type: text/html
Last-Modified: Fri, 03 Mar 2023 17:07:58 GMT
Accept-Ranges: bytes
ETag: "0abe9b3f24dd91:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
X-Frame-Options: SAMEORIGIN
Date: Mon, 20 Mar 2023 14:54:06 GMT
Strict-Transport-Security: max-age=0
**** CONTENT ****
HTTP OK: HTTP/1.1 200 OK - 311 bytes in 0.202 second response time |time=0.202088s;;;0.000000;10.000000 size=311B;;;0; time_connect=0.038536s;;;;10.000000 time_ssl=0.083125s;;;;10.000000 time_headers=0.000008s;;;;10.000000 time_firstbyte=0.080267s;;;;10.000000 time_transfer=0.080283s;;;;10.000000
It seems there is an incompatibility between the way Checkmk/Nagios use SSL and our specific NetScaler implementation.
For reasons I won’t get in to, the Checkmk rule that defines this checks uses the production Virtual Host name across all environments. The production name is not a valid SNI name on the UAT NetScaler, resulting in the unrecognized name error we are seeing.
Strangely, the check works fine for our QA environment, even though the production name is not a valid SNI name there either.
I think what is happening in our UAT environment is that it is actually the NetScaler that is throwing the exception when it cannot find a certificate to serve in response to the request’s SNI value. We’re using HAProxy for the QA environment and it is probably falling back to the default certificate when there is no SNI match.
We updated the rule to use the environment-specific name for the service and now all monitors are working as intended.
Thank you again Anders and Thomas for getting me pointed in the right direction.
Regards,
Jason