I'm having problems with a cert. (internal cert issued by us) If I'm checking google's output is correct:

./check_ssl_cert.pl -H google.com
OK: 70 days remaining for '*.google.com'. Certificate Expires: 'Feb 23 14:17:00 2017 GMT'

However if I'm checking my internal cert is not working, is for webmail and it requieres authentication. Please find below the output.

verbose mode on

check_ssl_cert.pl version 0.9.12 => Hari Sekhon Utils version 1.18.6

host: XXXXX
port: 443
warning lower: 31
critical lower: 15

setting timeout to 10 secs

cmd: /usr/bin/openssl version -a
output:

OpenSSL 1.0.2g 1 Mar 2016
built on: reproducible build, date unspecified
platform: debian-amd64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx)
compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/lib/ssl"

exitcode: 0

Found CApath from openssl binary as: /usr/lib/ssl

CA path directory: /usr/lib/ssl

• checking validity of cert (chain of trust)
  cmd: echo | /usr/bin/openssl s_client -connect XXXXXX:443 -CApath /usr/lib/ssl 2>&1
  output:

139761281857176:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
CONNECTED(00000003)

no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 305 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1481734653
Timeout : 300 (sec)
Verify return code: 0 (ok)

exitcode: 1

Verify return code: 0 (ok)

• checking domain and expiry on cert
  cmd: echo | /usr/bin/openssl s_client -connect XXXXX:443 -CApath /usr/lib/ssl 2>&1 | /usr/bin/openssl x509 -noout -text 2>&1
  output:

unable to load certificate
140653386462872:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE

exitcode: 1

CRITICAL: failed to determine certificate domain name

we have a zookeeper running on host ip: 64.12.255.119 and the isIP function tosses it due to line 1527:
$_ > 254 and return undef;

to fix I changed it to 255.

Hi,

I think there is a mistake in mac_regex.
The first block is [0-9A-F-af] and should be [0-9A-Fa-f]

Thank you

Got error building the library:

openssl-version.c:2:30: fatal error: openssl/opensslv.h: No such file or directory
 #include <openssl/opensslv.h>

Ubuntu 14.04.2 LTS

The aws secret key is not necessarily alphanumeric. My suggestion is to remove the alphanum check, or go with the aws recommended regex. However, amazon says this is also subject to change.

From http://blogs.aws.amazon.com/security/blog/tag/key+rotation

"· Search for access key IDs: (?<![A-Z0-9])[A-Z0-9]{20}(?![A-Z0-9]). In English, this regular expression says: Find me 20-character, uppercase, alphanumeric strings that don’t have any uppercase, alphanumeric characters immediately before or after.

· Search for secret access keys: (?<![A-Za-z0-9/+=])[A-Za-z0-9/+=]{40}(?![A-Za-z0-9/+=]). In English, this regular expression says: Find me 40-character, base-64 strings that don’t have any base 64 characters immediately before or after."

"We can’t guarantee these regular expressions will work forever (we reserve the right to change the format of access key IDs and secret access keys) but they’re a start."

./check_whois.pl --help

Unknown switch condition (?(DE in regex; marked by <-- HERE in m/
(?( <-- HERE DEFINE)
(? -? (?= [1-9]|0(?!\d) ) \d+ (.\d+)? ([eE] [+-]? \d+)? )
(? true | false | null )
(? " ([^"\\]* | \ ["\bfnrt/] | \ u [0-9a-f]{4} )* " )
(? [ (?: (?&json) (?: , (?&json) )* )? \s* ] )
(? \s* (?&string) \s* : (?&json) )
(? { (?: (?&pair) (?: , (?&pair) )* )? \s* } )
at HariSekhonUtils.pm line 1224.

Hello
I use the check_kafka script and I have the following error message, and I do not see where the problem is, below the logging.conf file

[loggers]
keys=root

[handlers]
keys=consoleHandler,fileHandler,kafkaHandler

[formatters]
keys=simpleFormatter,logstashFormatter

[logger_root]
level=DEBUG
handlers=consoleHandler,fileHandler,kafkaHandler
formatter=simpleFormatter

[handler_fileHandler]
class=logging.handlers.WatchedFileHandler
level=DEBUG
formatter=simpleFormatter
args=('/var/log/check_kafka.log', 'a')

[handler_kafkaHandler]
class=python_kafka_logging.KafkaHandler.KafkaLoggingHandler
level=DEBUG
formatter=logstashFormatter
args=("192.168.0.35:2181, 192.168.0.193:2181","apps-openshift")

[handler_consoleHandler]
class=StreamHandler
level=DEBUG
formatter=simpleFormatter
args=(sys.stdout,)

[formatter_simpleFormatter]
format=%(asctime)s - %(levelname)s - %(name)s - %(message)s

[formatter_logstashFormatter]
class=logstash_formatter.LogstashFormatter
format={"extra": {"appName": "myPythonApp", "environment": "AWS-Test"}}

can you help me ?
thanks

Hi,

check_ssl_cert.pl does not like my hostname:

% ./check_ssl_cert.pl --host 1.example.com |head -n3
invalid host '1.example.com' defined: not a valid hostname or IP address

usage: check_ssl_cert.pl [ options ]
% 

The regex hostnames are matched against expects them to start with letters ([A-Za-z]). However, numbers in hostnames are perfectly valid.

Kind regards,
Frank.

Great library! Any plans to make so that the elasticsearch checks can go over SSL for folks who are using the Shield plugin?

When I try to make on Ubuntu 14.04, I get the following error.

Expat.xs:12:19: fatal error: expat.h: No such file or directory
 #include <expat.h>
                   ^

Probably want to check for the dependency.

Hi,
I found myself here because a coworker found bug #73 in your nagios plugins repo, and nearly tried to fork NetAddr::IP::InetBase thinking it was a fault in that module. Luckily I did some quick digging to see that it was a $SIG{__DIE__} handler in our code breaking everything. It was undoubtedly the same issue affecting check_kafka.pl

I'm wondering if you haven't tried using $EXCEPTIONS_BEING_CAUGHT or $^S inside your die handler to prevent it from exiting if you don't need it to.

Better yet -- you can always stop exiting from your $SIG{__DIE__} handler which would allow exceptions to bubble up naturally. You might even be able to avoid using the signal handler entirely.. Read the bottom couple paragraphs of the signal var for more information on avoiding $SIG{__DIE__}.

this bug is occurring with later versions of centos/perl/lwp where lwp ssl verification parameters have changed and a slightly different format is required for skipping verification to work. CentOS 6.3 and older versions aren't having any issues, but 6.9 and later (or equivalents in other distros) will break if skipping ssl certificate or hostname verification is required

our usernames are fully numeric and that's failing (i'm guessing) your username regex, which needs to have leading alpha?

existing scripts fail with "UNKNOWN" errors because script timeouts are normally shorter than default LWP timeout. this is a problem because instead of being down/failed, service shows up as UNKNOWN which is a soft state not picked up by some monitoring platforms

this happens with or without SSL, it's simply the LWP curl timeout

[user@somehost]$ ./check_elasticsearch_cluster_disk_balance.pl -H 192.168.1.3 -S --ssl-noverify -u someuser -p somepassword -t 2
UNKNOWN: self timed out after 2 seconds

this can be fixed for each specific check type by making sure LWP timeout is set to be less than global script timeout, so that curl is allowed to time out and the error code is handled properly. this can also be set in the global curl function by also applying global timeout to LWP timeout

Expected behaviour should be:

[user@somehost]$ ./check_elasticsearch_cluster_disk_balance.pl -H 192.168.1.3 -S --ssl-noverify -u someuser -p  somepassword -t 2
CRITICAL: 500 Can't connect to 192.168.1.3:9200 (timeout)

git submodule update --init --recursive
fatal: reference is not a tree: c039fd2a8f50fc38e7f7bbe730b4b1013cb876d0
Unable to checkout 'c039fd2a8f50fc38e7f7bbe730b4b1013cb876d0' in submodule path 'bash-tools/templates'
Failed to recurse into submodule path 'bash-tools'

MySQL queries containing reserved words fail due to DML statement match. i.e. - 'select foo from product_updates where created_date ... ' will match both update and create. Suggestion would be to match reserved words + whitespace ? This worked for me :

$ git diff
diff --git a/HariSekhonUtils.pm b/HariSekhonUtils.pm
index 66e4fcb..c0fb60b 100644
--- a/HariSekhonUtils.pm
+++ b/HariSekhonUtils.pm
@@ -3302,7 +3302,7 @@ sub validate_database_query_select_show ($;$) {
     #debug("regex validating query: $query");
     $query =~ /^\s*((?:SHOW|SELECT)\s+.+)$/i || usage "invalid ${name}query defined: may only be a SELECT or SHOW statement";
     $query = $1;
-    $query =~ /insert|update|delete|create|drop|alter|truncate/i and usage "invalid ${name}query defined: found DML statement keywords!";
+    $query =~ / insert | update | delete | create | drop | alter | truncate /i and usage "invalid ${name}query defined: found DML statements keywords!";
     # this trips up users who put ; at the end of their query and doesn't offer that much protection anyway since DML is already checked for and it may be convenient to
     #$query =~ /;|--/i and usage "invalid ${name}query defined: suspect chars ';' or '--' detected in query!";
     $query =~ /;/ and usage "invalid ${name}query defined: you may not add semi-colons to your queries, while it works on the command line, Nagios ends up choking by pre```


I'm not a perl expert (or even a novice) so this may be wrong way of going about it.

Hello,

is it possible to modify the 'domain_component' regex to accept also domains like '_spf1.example.com'.

Thank you.

Hi,

I wanted to use your elasticsearch and couchbase plugins. Which seem to require your perl lib etc. I don't need or want any hadoop stuff etc, nor do I want to clone the entire library of plugins onto my server.

I apologize for being a noob with perl and git, but how can I simply get the prereqs and the specific plugins that I want to work on my system?

check_elasticsearch.pl required HariSekhonUtils.pm which in turn is looking for JSON.pm, which I don't see in your repo. So like the title says, do you have some simple instructions so I can get these plugins running on Nagios?

Thanks in advance for any help you can offer.

Just updated Perl (v5.18.2, not sure what it was before) and I am getting this error:
OK: Insecure dependency in``while running with -T switch at /usr/local/lib/nagios-plugins/harisekhon/lib/HariSekhonUtils.pm line 986.

Called from check_whois.pl.

Hello,
That would be great to be able to specify the user and password used by the solr plugins.
Should be quite simple, as it is just some arguments of the curl_json function, located in lib/HariSekhon/Solr.pm, currently set to undef.
By the way, excellent plugins!
BR,
Yannick