Module: check_mk
Branch: master
Commit: d895efc27f729de1e2d6621a9e96cc3c5927de71
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d895efc27f729d…
Author: Moritz Kiemer <mo(a)mathias-kettner.de>
Date: Mon Apr 1 14:44:46 2019 +0200
7387 FIX apache_status: Ignore certificates from local hosts
Previously not all cases of failing certificate verfication for
local hosts were handled correctly, which could lead to missing
data for that host.
Instead of handling all cases of invalid certificates we now
omit certificate verification for local addresses entirely.
This only affects the addresses "127.0.0.1", "[::1]", and
"localhost".
Change-Id: I0ffc977ddf60b299f1e262e3c1d8fa45eb56bfc6
---
.werks/7387 | 17 +++++++++++++++++
agents/plugins/apache_status | 17 +++++++++--------
2 files changed, 26 insertions(+), 8 deletions(-)
diff --git a/.werks/7387 b/.werks/7387
new file mode 100644
index 0000000..a817abb
--- /dev/null
+++ b/.werks/7387
@@ -0,0 +1,17 @@
+Title: apache_status: Ignore certificates from local hosts
+Level: 1
+Component: checks
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1554122535
+Class: fix
+
+Previously not all cases of failing certificate verfication for
+local hosts were handled correctly, which could lead to missing
+data for that host.
+Instead of handling all cases of invalid certificates we now
+omit certificate verification for local addresses entirely.
+This only affects the addresses "127.0.0.1", "[::1]", and
+"localhost".
+
diff --git a/agents/plugins/apache_status b/agents/plugins/apache_status
index 658b655..ce5b28f 100755
--- a/agents/plugins/apache_status
+++ b/agents/plugins/apache_status
@@ -126,11 +126,16 @@ def _unpack_server(server):
server.get('page', 'server-status'))
-def no_cert_verification():
+def urlopen_no_cert_verification(url):
+ """urlopen without checking the cert
+
+ workaround if SSL port is found and localhost is using
+ SSL connections but certificate does not match
+ """
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
- return context
+ return urllib2.urlopen(url, context=context)
def get_response(proto, address, portspec, page):
@@ -139,6 +144,8 @@ def get_response(proto, address, portspec, page):
# Try to fetch the status page for each server
try:
request = urllib2.Request(url, headers={"Accept":
"text/plain"})
+ if is_local:
+ return urlopen_no_cert_verification(url)
return urllib2.urlopen(request)
except urllib2.URLError as exc:
if 'unknown protocol' in str(exc):
@@ -147,12 +154,6 @@ def get_response(proto, address, portspec, page):
url = 'http://%s%s/server-status?auto' % (address, portspec)
return urllib2.urlopen(url)
raise
- except Exception as exc:
- if 'doesn\'t match' in str(exc) and is_local:
- # HACK: workaround if SSL port is found and localhost is using
- # SSL connections but certificate does not match
- return urllib2.urlopen(url, context=no_cert_verification())
- raise
def main():