CRITICAL - Cannot make SSL connection when checking Certificate age

Troubleshooting
1

CMK version:
2.2.0p22.cre
OS version:
Debian Buster
Error message:
CRITICAL - Cannot make SSL connection when checking Certificate age
Output of “cmk --debug -vvn hostname”: (If it is a problem with checks or plugins)
Checkmk version 2.2.0p22

  • FETCHING DATA

Source: SourceInfo(hostname=‘host’, ipaddress=‘10.10.10.10’, ident=‘piggyback’, fetcher_type=<FetcherType.PIGGYBACK: 4>, source_type=<SourceType.HOST: 1>)

[cpu_tracking] Start [7fa85b4a8a10]

Read from cache: NoCache(host, path_template=/dev/null, max_age=MaxAge(checking=0.0, discovery=0.0, inventory=0.0), simulation=False, use_only_cache=False, file_cache_mode=1)

[PiggybackFetcher] Execute data source

No piggyback files for ‘host’. Skip processing.

No piggyback files for ‘10.10.10.10’. Skip processing.

[cpu_tracking] Stop [7fa85b4a8a10 - Snapshot(process=posix.times_result(user=0.0, system=0.0, children_user=0.0, children_system=0.0, elapsed=0.0))]

  • PARSE FETCHER RESULTS

HostKey(hostname=‘host’, source_type=<SourceType.HOST: 1>) → Add sections:

Received no piggyback data

[cpu_tracking] Start [7fa85b9668d0]

value store: synchronizing

Trying to acquire lock on /omd/sites/P13000/tmp/check_mk/counters/host

Got lock on /omd/sites/P13000/tmp/check_mk/counters/host

value store: loading from disk

Releasing lock on /omd/sites/P13000/tmp/check_mk/counters/host

Released lock on /omd/sites/P13000/tmp/check_mk/counters/host

No piggyback files for ‘host’. Skip processing.

No piggyback files for ‘10.10.10.10’. Skip processing.

[cpu_tracking] Stop [7fa85b9668d0 - Snapshot(process=posix.times_result(user=0.0, system=0.0, children_user=0.0, children_system=0.0, elapsed=0.0))]

[piggyback] Success (but no data found for this host), execution time 0.0 sec | execution_time=0.000 user_time=0.000 system_time=0.000 children_user_time=0.000 children_system_time=0.000 cmk_time_agent=0.000

rule:

Service name: cert
Host settings:
TCP Port: 443
Virtual host: $HOSTADDRESS$
Mode of the Check: Check SSL Certificate Age,
Age: 90 days, 60 days
Advanced: Disable SSL/TLS hostname extension support (SNI):

Site is behind nginx reverse proxy

Any direction on how to solve this, highly appreciated

2

A little bit better description of your problem would be good. I don’t see any error message or useful information.
The agent output is not relevant if you have a problem with an active check like HTTP/HTTPS. But this output would be very interesting.

3

Reverse proxies often provide a number of webservices available under one external ip. For this to work, you must make usage of SNI.

So with the few bits of information that you have given us, I suggest to enable SNI and replace $HOSTADDRESS$ with $HOSTNAME$ where hostname would be the FQDN that’s also in the CN of the certificate or at least in the SAN entry.

Regards
Simon

2 Likes
4

Helloooooo

That indeed did the trick, many thanks for this very fast and professional answer.

Best,
rene

5

You’re welcome.

Happy monitoring!

6

Hello Rene.

If Simon’s reply resolved your question, could I please ask you to mark it as a solution? It helps everyone else to see the question is resolved and in a way it says thank you to Simon :slight_smile:

4 Likes
7

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.