[root#chi plugins]# '/usr/lib64/nagios/plugins/check_http' '-C' '15,30' '-I' '99.830.700.184' '-S' '-p' '443'
SSL OK - Certificate 'localhost' will expire on 2018-12-14 02:20 +0000/UTC. HTTP WARNING: HTTP/1.1 404 Not Found - 226 bytes in 0.156 second response time |time=0.155850s;;;0.000000 size=226B;;;0
I need to suppress The HTTP 404 warning. If there's another plugin that can do this, I'd like to know about it. (I can't change anything on the webserver.)
You can use the same plugin, but add -e 404, so it will look like:
[root#chi plugins]# '/usr/lib64/nagios/plugins/check_http' '-C' '15,30' '-I' '99.830.700.184' '-S' '-p' '443' '-e' '404'
The -e 404 flag suppress 404 error code.
I used the tcp command (check_tcp plugin) instead. I should have been using check_tcp all along.
In my /etc/icinga2/zones.d/global-templates/global-commands.conf file I added
apply Service "HTTPS/8443: Secure Management Interface" {
import "generic-service"
check_command = "tcp"
vars.tcp_port = "8443"
vars.tcp_ssl = true
vars.tcp_timeout = 60
vars.tcp_ipv4 = true
vars.tcp_ipv6 = false
vars.tcp_timeout = 30
assign where host.vars.devtype == "dadada"
Related
I'm trying to build OpenCog from here and when I issue this command
octool -rdcpav -l default
It builds everything but it then gets to the step of installing Link-Grammar and this happens
[octool] Installing Link-Grammar....
--2020-06-13 10:09:36-- http://www.abisource.com/downloads/link-grammar/current/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.abisource.com/downloads/link-grammar/current/ [following]
--2020-06-13 10:09:37-- https://www.abisource.com/downloads/link-grammar/current/
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
OpenSSL: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol
Unable to establish SSL connection.
I'm on ubuntu 20.04 LTS
www.abisource.com supports only TLS version 1.0, which is now broken (or at least weakened) and way obsolete. According to its headers it is Apache 2.2.15 (Fedora) which dates from 2010!
This therefore appears to be the same problem as OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol except Ubuntu instead of Debian and wget (used by octool) instead of openvpn. Try the accepted anser there: edit /etc/ssl/openssl.cnf under [system_default_sect] to downgrade MinProtocol=TLSv1 and possibly CipherString=DEFAULT:#SECLEVEL=1 -- the server's DHE key is 1k, and I don't recall if that works at level 2, although its cert is absurdly RSA 4k!
UPDATE: Okay, I downloaded and installed Ubuntu 20.04 including source for libssl1.1 and looked at it, and they did NOT keep the Debian approach here, they changed it. Specifically, they didn't change the openssl.cnf file to require TLSv1.2, instead they compiled OpenSSL/libssl to make the default SECLEVEL 2 and to have SECLEVEL 2 force TLSv1.2 (which it doesn't upstream).
However, you can still fix it by adding the desired (weak) configuration to openssl.cnf:
somewhere in the default section, i.e. before the first line beginning with [, add a line
openssl_conf = openssl_configuration
I like putting it at the very top, but that's just me.
technically at any section boundary, but much-easiest at the end, add three new sections:
[openssl_configuration]
ssl_conf = ssl_configuration
[ssl_configuration]
system_default = tls_system_default
[tls_system_default]
CipherString = DEFAULT:#SECLEVEL=1
Note that since MinProtocol wasn't already there you don't need to add it (the code default is okay) but you can if you want.
Now it works:
$ wget https://www.abisource.com/
--2020-06-20 05:11:11-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html’
index.html 100%[===================>] 7.51K --.-KB/s in 0.002s
2020-06-20 05:11:12 (3.90 MB/s) - ‘index.html’ saved [7687/7687]
This is, as you commented, a global change. You can change it for this specific operation by editting your copy of octool to add the option --ciphers=DEFAULT:#SECLEVEL=1 to the wget command(s). With the original openssl.cnf:
$ wget --ciphers=DEFAULT:#SECLEVEL=1 https://www.abisource.com/
--2020-06-20 05:15:21-- https://www.abisource.com/
Resolving www.abisource.com (www.abisource.com)... 130.89.149.216
Connecting to www.abisource.com (www.abisource.com)|130.89.149.216|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7687 (7.5K) [text/html]
Saving to: ‘index.html.1’
index.html.1 100%[===================>] 7.51K --.-KB/s in 0s
2020-06-20 05:15:22 (330 MB/s) - ‘index.html.1’ saved [7687/7687]
I'm starting to learn Ansible but the documentation is not too helpful.
I have installed the control machine on RHEL and created the necessary hosts file and windows.yml.
But when trying to connect to the remote Windows server to get a pong back I get the following error:
[root#myd666 ansible_test]# ansible windows -i hosts -m win_ping
hostname | UNREACHABLE! => {
"changed": false,
"msg": "ssl: the specified credentials were rejected by the server",
"unreachable": true
}
After Installing python-kerberos dependencies,
I now get this Error:
hostname | UNREACHABLE! => {
"changed": false,
"msg": "Kerberos auth failure: kinit: KDC reply did not match expectations while getting initial credentials",
"unreachable": true
}
My windows.yml file contains:
# it is suggested that these be encrypted with ansible-vault:
# ansible-vault edit group_vars/windows.yml
ansible_ssh_user: user#MYDOMAIN.NET
ansible_ssh_pass: password
ansible_ssh_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
Am I doing anything wrong with the syntax of Domain\user? Maybe I forgot to install something on the Windows machine? I only ran the ConfigureRemotingForAnsible.ps1 script, and Python is not installed there.
This is my krb5.conf file:
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = hpeswlab.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
And I do get a token using Kinit:
kinit -C user#MYDOMAIN.NET
klist
Klist output:
Valid starting Expires Service principal
01/31/2017 11:25:33 01/31/2017 21:25:33 krbtgt/MYDOMAIN.NET#MYDOMAIN.NET
renew until 02/01/2017 11:25:29
In windows.yml, please double-check and ensure that the ansible_ssh_user: user#MYDOMAIN.NET line does indeed have the realm MYDOMAIN.NET in upper case. Somewhere, the realm request to the KDC is being sent in lower case instead of upper case causing the 'KDC reply did not match expectations..' error.
In krb5.conf, case-sensitivity is also important. First I'll note that since the KDC name is the name of an IP host, so it needs to be specified as a fully-qualified host name, like in the example shown below. It assumes your KDC is named "dc1.mydomain.net". Next, the domain name should only be in lower case. On the other hand, Kerberos Realm names need be in upper case - if the realm name is incorrectly specified in lower case in this file that is another reason you may get this error message. Please modify your entire krb5.conf to look like that shown below (changing only "dc1" to the actual name) and it should work. Side note: You do not necessarily need the two dns_lookup_ lines in your krb5.conf, so please comment them out per the below. Those are fallback mechanisms only as per the MIT Kerberos Documentation and may actually cause issues in your simple use case. After modifying either configuration file, make sure to restart the Ansible engine before testing again.
[libdefaults]
default_realm = MYDOMAIN.NET
#dns_lookup_realm = true
#dns_lookup_kdc = true
[realms]
MYDOMAIN.NET = {
kdc = dc1.mydomain.net
default_domain = mydomain.net
}
[domain_realm]
.mydomain.net = MYDOMAIN.NET
mydomain.net = MYDOMAIN.NET
Please refer to this MIT reference for how to properly set up the krb5.conf: Sample krb5.conf File
In the Hosts file, check to ensure your IP to name mappings are correct. Per the RFCs, Kerberos requires a properly functioning DNS, and you are at risk of shortchanging that if your Hosts file has outdated entries in it.
Finally, though I wasn't able to tell which version of Ansible you were using, I did some research and found that "Ansible 2.0 has deprecated the “ssh” from ansible_ssh_user, ansible_ssh_host, and ansible_ssh_port to become ansible_user, ansible_host, and ansible_port." This could certainly be part of the problem. See: Ansible on Windows Documentation
How is tcllib's autoproxy supposed to work with tls support? I've read the documentation and taken the following minimal example from it but I just can't get it to make any https connections whatsoever:
#!/usr/bin/tclsh
package require autoproxy
package require http
package require tls
::autoproxy::init
::http::register https 443 [list ::autoproxy::tls_socket -tls1 1]
#::http::register https 443 [list ::tls::socket -tls1 1]
set token [::http::geturl "https://example.com/" -validate 1]
puts [::http::meta $token]
::http::cleanup $token
which results in:
handshake failed: resource temporarily unavailable
while executing
"::http::geturl "https://example.com/" -validate 1"
invoked from within
"set token [::http::geturl "https://example.com/" -validate 1]"
(file "./https.tcl" line 9)
I have no proxy servers defined via the http_proxy envvar and when using ::tls::socket directly it works fine. I'm using tcl 8.6.1, tcllib 1.15, and tls 1.6.
How to make sure SSL is enabled properly on Active Directory server?
On server itself if I run ldp, I think I can connect on 636 port.
I see something like this in output:
ld = ldap_sslinit("localhost", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x0> = ldap_connect(hLdap, NULL);
Error <0x0> = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to localhost.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
**** and 10-12 more lines ****
Does this mean SSL is enabled properly?
What about errors in 2-4 lines?
Thanks.
Yes, SSL was enabled.
URLs provided by me in comments have more details.
How do I set in autobench that I'm testing an HTTPS (port 443) URL?
When I call it with:
autobench --single_host --host1 host.com --port1 443 --uri1 /hello --num_conn 1000 --timeout 5 --low_rate 10 --high_rate 50 --rate_step 10 --num_call 10 --quiet --file results.tsv
it shows:
httperf.parse_status_line: invalid status line `<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">'!!
httperf.parse_status_line: bad status 1
Which is not correct because that HTTPS page (in the example above would be https://host.com/hello) returns a valid 200 OK response.
Thanks
You need to add the following line to your ~/.autobench.conf file:
httperf_ssl = NULL
--ssl is a command-line argument of httperf, which autobench calls underneath. The NULL value means to not pass a value for that arg to httperf.
Generally speaking, you can add any additional command-line arguments to httperf by putting them in the config file and prepending them with httperf_. Another example:
httperf_add-header = "Authorization: Basic Zm9vOmJhcg=="
is equivalent to running httperf --add-header "Authorization: Basic Zm9vOmJhcg=="