You may find you need to perform a check where the FQDN you are monitoring doesn’t correspond to the IP address and some form of virtual server (or host headers) are in use. Now normally using a command like:
./check_http -H www.website.com -p 443 -C 30,15Should just work however in certain instances depending on the configuration of the web server you’ll get a different response to what you are expecting.
The issue is also described in https://github.com/nagios-plugins/nagios-plugins/issues/563
Example
Let’s take a look at an example, now we know this service the certificate is due to expire in 2 days, so let’s perform a check to see (its the 19th October 2022 today):
# ./check_http -v -H www.website.com -S -C 30,15
OK - Certificate '*.azurewebsites.net' will expire on Thu 09 Mar 2023 18:39:00 GMT.Wait, what? Thats not about to expire so what is it doing. Clearly its just resolving the IP address from the hostname and then querying the catch all website. If I go to this site within a web browser, i’m seeing the site and certificate i’m expecting!
What seems to be going on is the way the check_http request is being interpreted by the web server, meaning it does not seem to work with the host headers.
To resolve this you need to use the SNI option on check_http as below, now when we use that we get the result we were expecting.
# ./check_http -I www.website.com --sni --hostname=www.website.com -S -C 30,15
CRITICAL - Certificate 'www.website.com' expires in 2 day(s) (Sat 22 Oct 2022 00:59:00 BST).
1 thought on “check_http and SNI Hostnames”