We are not able to integrate some URL’s and we do not know jet why we are getting the error “Connection reset by peer (os error 104)” when using the Check HTTP web service to check an URL.
Could anybody pushes us in the right direction?
CMK version: 2.3.0p6
OS version: Rocky 9
Error message: error sending request for url (…): error trying to connect: Connection reset by peer (os error 104)
sorry for a maybe simple question here, but: Is the url reachable on the explicit host you bound that test? with Curl?
Basically we first test this with the underlying nagios plugin:
./lib/nagios/plugins/check_http
The pluguin has also a verbose switch to show some debugging output.
As soon as we know the parameters we copy it to the rule.
regards
Michael
url is accessible with Curl and I get the result I expect.
Maybe the server reject because of unaccepted header string.
See:
Maybe try:
-A, --useragent=STRING
String to be sent in http header as "User Agent"
-T, --content-type=STRING
specify Content-Type header media type when POSTing
Some questions for you:
Is that Microsoft exchange health check by any chance ?
Does the self signed certificate contains your short hostname that you use in the URL https://myshorthostname/healthcheckmk.htm ?
Also, when you open this URL in the browser , do you get a browser warning saying that “Its not secure” and " Your connection is not private" ?
If the answer to all the 3 questions is Yes, then either your short hostname or FQDN should be part of the certificate otherwise the check will fail during server name verification.
My answers
Yes it is the exchange health check
https://myshorthostname/healthcheckmk.htm ?No tie certificate is not self-signed.
No we are not getting “Its not secure” and " Your connection is not private"
It is a virtual address, which points to an active exchange server. As far as I understood, (I have to check that how it exactly works.)
No tie certificate is not self-signed.
Maybe you can try uploading the certificate to the trust store and see if that works?
Also, calling check_httpv2 with -vvv will tell you more information about the error.
OMD[yoursite]:~$ ~/lib/nagios/plugins/check_httpv2 --url https://myshorthostname/healthcheckmk.htm -vvv
We are also getting the “connection error: Connection reset by peer (os error 104)” error.
Maybe it is similar, since the webserver is also IIS (IIS 10 on Windows Server 2019).
checkmk Version 2.3.0p9 CEE
./check_httpv2 -vvv --http-version http11 --url https://ccpdev.loc/AIMWebService/V1.1/AIM.asmx
2024-07-31T14:16:31.978806Z TRACE send_request: hyper::client::pool: checkout waiting for idle connection: ("https", ccpdev.loc)
2024-07-31T14:16:31.978901Z DEBUG send_request: reqwest::connect: starting new connection: https://ccpdev.loc/
2024-07-31T14:16:31.978927Z TRACE send_request: hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("ccpdev.loc"), port=None
2024-07-31T14:16:31.979218Z DEBUG hyper::client::connect::dns: resolving host="ccpdev.loc"
2024-07-31T14:16:31.981547Z DEBUG send_request: hyper::client::connect::http: connecting to 10....5:443
2024-07-31T14:16:31.983042Z DEBUG send_request: hyper::client::connect::http: connected to 10....5:443
2024-07-31T14:16:31.983068Z DEBUG send_request: rustls::client::hs: No cached session for DnsName("ccpdev.loc")
2024-07-31T14:16:31.983160Z DEBUG send_request: rustls::client::hs: Not resuming any session
2024-07-31T14:16:31.983192Z TRACE send_request: rustls::client::hs: Sending ClientHello Message {
version: TLSv1_0,
payload: Handshake {
parsed: HandshakeMessagePayload {
typ: ClientHello,
payload: ClientHello(
ClientHelloPayload {
client_version: TLSv1_2,
random: d4f1381d0203c1d8d63e7074cac472a675f147a7fd80cceed00e7ff61d8d0b77,
session_id: cc83f3e6d2e0325a4cb50602e72bbef85f7c898cb3632d6ba447f6bd52c7a92e,
cipher_suites: [
TLS13_AES_256_GCM_SHA384,
TLS13_AES_128_GCM_SHA256,
TLS13_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
],
compression_methods: [
Null,
],
extensions: [
SupportedVersions(
[
TLSv1_3,
TLSv1_2,
],
),
ECPointFormats(
[
Uncompressed,
],
),
NamedGroups(
[
X25519,
secp256r1,
secp384r1,
],
),
SignatureAlgorithms(
[
ECDSA_NISTP384_SHA384,
ECDSA_NISTP256_SHA256,
ED25519,
RSA_PSS_SHA512,
RSA_PSS_SHA384,
RSA_PSS_SHA256,
RSA_PKCS1_SHA512,
RSA_PKCS1_SHA384,
RSA_PKCS1_SHA256,
],
),
ExtendedMasterSecretRequest,
CertificateStatusRequest(
OCSP(
OCSPCertificateStatusRequest {
responder_ids: [],
extensions: ,
},
),
),
ServerName(
[
ServerName {
typ: HostName,
payload: HostName(
DnsName(
"ccpdev.loc",
),
),
},
],
),
SignedCertificateTimestampRequest,
KeyShare(
[
KeyShareEntry {
group: X25519,
payload: 8967e0bda73ae55b4ff80d58e909099f5f16eb24f25ec263bc8ce0e04bc90a1d,
},
],
),
PresharedKeyModes(
[
PSK_DHE_KE,
],
),
Protocols(
[
ProtocolName(
687474702f312e31,
),
],
),
SessionTicket(
Request,
),
],
},
),
},
encoded: 010000fe0303d4f1381d0203c1d8d63e7074cac472a675f147a7fd80cceed00e7ff61d8d0b7720cc83f3e6d2e0325a4cb50602e72bbef85f7c898cb3632d6ba447f6bd52c7a92e0014130213011303c02cc02bcca9c030c02fcca800ff010000a1002b00050403040303000b00020100000a00080006001d00170018000d00140012050304030807080608050804060105010401001700000005000501000000000000001600140000116363706465762e726577652e6c6f63616c00120000003300260024001d00208967e0bda73ae55b4ff80d58e909099f5f16eb24f25ec263bc8ce0e04bc90a1d002d000201010010000b000908687474702f312e3100230000,
},
}
2024-07-31T14:16:31.986272Z TRACE send_request: rustls::client::hs: We got ServerHello ServerHelloPayload {
legacy_version: TLSv1_2,
random: 66aa473f6e510cc180ff477529e97319d608410c556d77516a071a764278fe4b,
session_id: 3a280000f1300ea8ac26126d53afbc0d64497dff460e4a57fefaf6228ed66ee3,
cipher_suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
compression_method: Null,
extensions: [
Protocols(
[
ProtocolName(
687474702f312e31,
),
],
),
ExtendedMasterSecretAck,
RenegotiationInfo(
,
),
],
}
2024-07-31T14:16:31.986319Z DEBUG send_request: rustls::client::hs: ALPN protocol is Some(b"http/1.1")
2024-07-31T14:16:31.986326Z DEBUG send_request: rustls::client::hs: Using ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2024-07-31T14:16:31.986365Z DEBUG send_request: rustls::client::tls12: ECDHE curve is ECParameters { curve_type: NamedCurve, named_group: secp384r1 }
2024-07-31T14:16:31.986375Z TRACE send_request: rustls::client::tls12: Server cert is [Certificate(....")]
2024-07-31T14:16:31.986566Z DEBUG send_request: rustls::client::tls12: Server DNS name is DnsName("ccpdev.loc")
2024-07-31T14:16:31.990894Z TRACE send_request: hyper::client::conn: client handshake Http1
2024-07-31T14:16:31.990922Z TRACE send_request: hyper::client::client: handshake complete, spawning background dispatcher task
2024-07-31T14:16:31.991071Z TRACE send_request: hyper::client::pool: checkout dropped for ("https", ccpdev.loc)
2024-07-31T14:16:31.991080Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Busy }
2024-07-31T14:16:31.991208Z TRACE encode_headers: hyper::proto::h1::role: Client::encode method=GET, body=None
2024-07-31T14:16:31.991304Z DEBUG hyper::proto::h1::io: flushed 124 bytes
2024-07-31T14:16:31.991335Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2024-07-31T14:16:31.993488Z TRACE hyper::proto::h1::conn: Conn::read_head
2024-07-31T14:16:31.993583Z WARN rustls::common_state: Sending warning alert NoRenegotiation
2024-07-31T14:16:31.993712Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2024-07-31T14:16:31.995388Z TRACE hyper::proto::h1::conn: Conn::read_head
2024-07-31T14:16:31.995432Z TRACE hyper::proto::h1::conn: State::close_read()
2024-07-31T14:16:31.995454Z DEBUG hyper::proto::h1::conn: parse error (connection error: Connection reset by peer (os error 104)) with 0 bytes
2024-07-31T14:16:31.995483Z DEBUG hyper::proto::h1::dispatch: read_head error: connection error: Connection reset by peer (os error 104)
2024-07-31T14:16:31.995508Z TRACE hyper::proto::h1::conn: State::close_read()
2024-07-31T14:16:31.995529Z TRACE hyper::proto::h1::conn: State::close_write()
2024-07-31T14:16:31.995551Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Closed, writing: Closed, keep_alive: Disabled }
2024-07-31T14:16:31.995575Z DEBUG rustls::common_state: Sending warning alert CloseNotify
2024-07-31T14:16:31.995605Z DEBUG hyper::proto::h1::conn: error shutting down IO: Broken pipe (os error 32)
2024-07-31T14:16:31.995684Z DEBUG hyper::client::client: client connection error: error shutting down connection: Broken pipe (os error 32)
error sending request for url (https://ccpdev.loc/AIMWebService/V1.1/AIM.asmx): connection error: Connection reset by peer (os error 104) (?)
error sending request for url (https://ccpdev.loc/AIMWebService/V1.1/AIM.asmx): connection error: Connection reset by peer (os error 104) (?)
checking URL with the old check_http works fine:
./check_http -u /AIMWebService/V1.1/AIM.asmx --ssl -w 10.000000 -c 15.000000 -t 10 --onredirect=follow -j GET --sni -p 443 -I ccpdev.loc -H ccpdev.loc
HTTP OK: HTTP/1.1 200 OK - 3271 bytes in 0.096 second response time |time=0.095513s;10.000000;15.000000;0.000000;16.000000 size=3271B;;;0;
The same URL with curl works fine:
$ curl --http1.1 -vvv https://ccpdev.loc/AIMWebService/V1.1/AIM.asmx
* Trying 10.....5...
* TCP_NODELAY set
* Connected to ccpdev.loc (10.....5) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /omd/sites/tst_ssm_ctr/var/ssl/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
...
* SSL certificate verify ok.
> GET /AIMWebService/V1.1/AIM.asmx HTTP/1.1
> Host: ccpdev.loc
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.2 (IN), TLS handshake, Hello request (0):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
< HTTP/1.1 200 OK
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=utf-8
< Server: Microsoft-IIS/10.0
< Date: Wed, 31 Jul 2024 14:12:59 GMT
< Content-Length: 3071
I know that checkmk supports only OpenSSL3, but this quite a new webserver with a CA certificate and TLS 1.2.
Does someone know what can be the issue here?
Best Regards
Thomas
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.