Https-check, URL is up but unresponsive on interface xx.xx.xx.xx

Hi!

https-check that says: “domainname” is up but “unresponsive” on interface xx.xx.xx.xx
Last Good: Unknown

When i do a curl i get status 200 OK. Why does the https-check say it is “unresponsive”??

Is it possible to use domainname instead of IP when doing the check?

Thanks!

monitorclass: org.opennms.netmgt.poller.monitors.HttpsMonitor
26.1.0

Can you show the full <service> config code for your poller?

  <service name="HTTPS-check" interval="300000" user-defined="false" status="on">
     <parameter key="retry" value="1"/>
     <parameter key="host-name" value="domainname.se"/>
     <parameter key="url" value="/test/ping"/>
     <parameter key="timeout" value="8000"/>
     <parameter key="port" value="443"/>
     <parameter key="response" value="200"/>
  </service>  


  <monitor service="HTTPS-check" class-name="org.opennms.netmgt.poller.monitors.HttpsMonitor"/>

is domainname.se a name based virtual host on interface xx.xx.xx.xx, or is it something external to this node *& interface that you’re expecting to resolve?

HttpMonitor connects to the IP address of the monitored interface, always. It does not use the host-name field as a resolvable hostname for the connection, it adds the host-name to the request as part of the http header.

What does curl say if you do something like:
curl -v -H "Host: domainname.se" http://xx.xx.xx.xx/test/ping ? (where xx.xx.xx.xx is the interface IP as above in your example)

curl -v -H “Host: domainname.se” https://xx.xx.xx.xx/test/ping

  • Trying xx.xx.xx.xx:443…
  • Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • OpenSSL SSL_connect: Connection reset by peer in connection to xx.xx.xx.xx:443
  • Closing connection 0
    curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to xx.xx.xx.xx:443

Works with curl using domainname but not towards IP. Is the webserver blocking request or something?

That’s not a socket/firewall block, it’s a SSL certificate mismatch as the IP isn’t listed as a subject alternate name on the cert. Though the usesslfilter setting should be false by default to not require ssl verification to pass.

curl -vk -H “Host: domainname.se” https://xx.xx.xx.xx/test/ping -k is aka --insecure and will skip certificate verification.

The question I’m trying to answer “Is domainname.se really a named virtual host on interface xx.xx.xx.xx?”

Hi! Using -k still gets the same SSL error.
They need fix their missmatch somehow i guess. But what do they need to fix?

Don’t know if domainname.se is a virtual host on the interface xx.xx.xx.xx.
How can i tell?

Thanks!

Would be in the web server config. Apache/Nginx/IIS/etc. Generally speaking, if that DNS resolves to that IP and you can browse to that hostname, it should be configured.

Does domainname.se resolve to xx.xx.xx.xx when you perform a forward DNS lookup?

Hi! Yes it does. It points to that ip.

Ok. Thanks! Will talk to them. I can’t access the page when using a browser with ip. Works only with domainame.

Is it standard to have a IP in a cert by default?

I just got news that maybe there is a netscaler in the front.

Depends on how you access the service. In the case of the ONMS poller, it should be ignoring the certificate when checking. My comment was more for your manual command line check.

so if i add: <parameter key="usesslfilter" value="False"/> it will skip verification?
Thanks!

No, that is the default value for the setting. I was saying that isn’t the issue with the poller - it’s something else.

Ok. thanks.

If i remove <parameter key="response" value="200"/> what does it actually check? Only that 443 response?

That you need. That is checking what HTTP status code returns from the request. 200 is “OK” meaning a successful request. (As opposed to a 404 or 500 or a number of other error codes)

Yes. But without using a status code check what does it check for then. Only if port 443 responses? I can see that some uses a check without “response”

See Administrators Guide for the default value of the attributes.

If the url parameter is set to / , the default
value for this parameter is 100-499 , otherwise it’s 100-399 .