Module: check_mk
Branch: master
Commit: fcb7d0269ae0cb7009f14f63d24df6c32d7bb9df
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=fcb7d0269ae0cb…
Author: Moritz Kiemer <mo(a)mathias-kettner.de>
Date: Tue Nov 13 09:26:45 2018 +0100
6902 FIX apache_status: Ignore certificate for localhost
If a https server at 127.0.0.1 or [::1] is checked, ignore the certificate in
case the name does not match.
Previously we tried to contact the server via http on port 80 instead,
but the server may not be listening on that port.
You need to change the protocol to http if you are monitoring a https
server that also listenes on port 80 and the servers address is not
either the address the certificate was issued for or one of
127.0.0.1, [::1] and "localhost".
Change-Id: I2db8af14aeb238494e558358c07d27f7733fa8cb
---
.werks/6902 | 19 +++++++++++++++++++
agents/plugins/apache_status | 14 +++++++-------
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/.werks/6902 b/.werks/6902
new file mode 100644
index 0000000..4c5eb7e
--- /dev/null
+++ b/.werks/6902
@@ -0,0 +1,19 @@
+Title: apache_status: Ignore certificate for localhost
+Level: 1
+Component: checks
+Compatible: incomp
+Edition: cre
+Version: 1.6.0i1
+Date: 1542097441
+Class: fix
+
+If a https server at 127.0.0.1 or [::1] is checked, ignore the certificate in
+case the name does not match.
+
+Previously we tried to contact the server via http on port 80 instead,
+but the server may not be listening on that port.
+
+You need to change the protocol to http if you are monitoring a https
+server that also listenes on port 80 and the servers address is not
+either the address the certificate was issued for or one of
+127.0.0.1, [::1] and "localhost".
diff --git a/agents/plugins/apache_status b/agents/plugins/apache_status
index 07e7de3..693a31c 100755
--- a/agents/plugins/apache_status
+++ b/agents/plugins/apache_status
@@ -46,6 +46,7 @@ import re
import socket
import sys
import urllib2
+import ssl
config_dir = os.getenv("MK_CONFDIR", "/etc/check_mk")
config_file = config_dir + "/apache_status.conf"
@@ -62,9 +63,7 @@ socket.setdefaulttimeout(5.0)
# None or list of (proto, ipaddress, port) tuples.
# proto is 'http' or 'https'
servers = None
-ssl_ports = [
- 443,
-]
+ssl_ports = [443]
if os.path.exists(config_file):
execfile(config_file)
@@ -150,12 +149,13 @@ for server in servers:
else:
raise
except Exception, e:
- if 'doesn\'t match' in str(e):
+ if 'doesn\'t match' in str(e) and address in
("127.0.0.1", "[::1]", "localhost"):
# HACK: workaround if SSL port is found and localhost is using
# SSL connections but certificate does not match
- portspec = ':80'
- url = 'http://%s%s/server-status?auto' % (address, portspec)
- fd = urllib2.urlopen(url)
+ no_cert_context = ssl.create_default_context()
+ no_cert_context.check_hostname = False
+ no_cert_context.verify_mode = ssl.CERT_NONE
+ fd = urllib2.urlopen(url, context=no_cert_context)
else:
raise