Disable https cert ceck

CMK version:2.2.0p22
OS version:CentOS 8

Error message:CRITICAL - Cannot make SSL connection.

Output of “cmk --debug -vvn hostname”: (If it is a problem with checks or plugins)

I want to check some appliances like switches. All of them are accessable via https, but all of them use a self signed certificate, some of them are outdated.

=> How to I check the website ignoring a self signed cert and ignoring the lifetime of the cert?

Hi,

I would split your problem into two separate issues.

  1. Expired certificates … just why … even appliances and/or switches have a way of regenerating/renewing certificates, and there is a very good reason to only deal with valid certificates.
    Read https://www.crowdstrike.com/blog/the-risks-of-expired-ssl-certificates/

  2. If dealing with Self-Signed certificates a/the system checking ( in your case CMK) will try to resolve a/the CA-path/certificate which signed the certificate.
    This means you would need to add your self-signed certificate also as a trusted CA-certificate to your CMK-box so when the certificate is checked it can lookup itself as CA-certificate.

update
I dug a bit deeper, and tested it on a RockyLinux9.3 box ( quite similar to CentOS8)

To start out i had a certificate which when i tried to pull something over curl complained about the certificate in use from the box:

[root@monitor ~]# curl https://testbox.mydomain.test
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

To solve this issue i needed to add the certificate to the CA-truststore on the system, so that curl no longer complains about the issuer.

Commandline used to solve it:

 openssl s_client -connect testbox.mydomain.test:443 -showcerts 2>/dev/null </dev/null | awk '/^.*'"testbox.mydomain.test"'/,/-----END CERTIFICATE-----/{next;}/-----BEGIN/,/-----END CERTIFICATE-----/{print}' >>/etc/pki/tls/certs/ca-bundle.crt

After this i tested again if curl was still complaining… it was not, so now the system trusts the (self-signed) certificate.

hope it helps,

  • Glowsome
2 Likes

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.