check_http returns with error "cannot make SSL connection" on icinga2

This forum was archived to /woltlab and is now in read-only mode. Please register a new account on our new community platform.

You can create a thread on the new site and link to an archived thread. This archive is available as knowledge base, safe and secured.

More details here.
  • Hi,

    I hope someone can help with the following issue.

    Currently I'm using check_http with Icinga2. The system works fine as long as I'm not checking for the SSL Cert.

    I'm able to process the command via shell with "check_http -S -H 'some website' -C30" with proper results

    however when I try to process the command via the host file the GUI is not able to process the command properly.

    Is this a known issue or am I missing a setting?

    my command file

    import "plugin-check-command"

    command = [ PluginDir + "/check_http" ]

    arguments = {
    "-H" = "$http_vhost$"
    "-I" = "$http_address$"
    "-u" = "$http_uri$"
    "-p" = "$http_port$"
    "-S" = "$http_ssl$"
    "-C" = "$http_cert$"


    my service conf file

    apply Service for (check_ssl => config in host.vars.check_ssl_cert) {
    import "generic-service"
    check_command = "check_ssl"

    vars += config

    My Host conf file

    import "web-host"

    vars.os = "WindowsWeb"
    vars.environment = "LegProd"

    vars.check_ssl_cert ["name of check"] = {
    http_address = "website address"
    http_ssl_certs = "1"
    http_cert = "15"

    Thanks in advance.

  • Hi,

    Originally I did use the default check_http within Icinga2 (received the same error) therefore I quickly slap that together to reduce the amount of information being passed and also to ensure I wasn't passing it to the wrong command module.

    The problem on persist while I'm trying to pass "-S" or "--ssl" argument through the host conf file. I would feed the variable with "1" as I would in the bash command line however the system does not seem to recognize the -S parameter.

    That aside the original check_http command and service has not been altered I still have it running as it's currently performing basic http ping for me.


  • Hm, I'd try it like this according to the docs:…plugin-check-command-http

    Keep it short and simple. You can still rework it into an apply for with host dictionaries.

  • Tested the code and it didn't work.

    I've done some more isolation and it turns out it's not the icinga conf coding that is failing. I was able to test another site with the same setup and the return is good. The original site of interest is not allowing an SSL connection.

    The interesting parting is if I ran the command line ,, directly on the failing site I'm able to get a positive response.

    I'm passing check_http -S 1 on the command line which should be the same as passing http_certificate = true in the conf file???


  • No, it's not the same. Look at the documentation…plugin-check-command-http

    There's additional flags to force specific SSL/TLS versions. If you're unsure which custom attribute results in your required "-S 1" parameter, you can also look it up in the ITL config, located in /usr/share/icinga2/include or inside the source code on github.…command-plugins.conf#L329

    So you'll need to specify http_ssl_force_tlsv1 instead of http_ssl.