HTTPS monitor SSL Certificate Failure


I just upgrade to the 29.0.1 version of OpenNMS Horizon.

After that upgrade, I’m now getting an alert on the HTTPS service saying it is down on my network switches.
HTTPS outage identified on interface aaa.bbb.ccc.ddd

If fact, it is not down. I’m accessing my switch on https. It’s only giving an Cert issue.

If fact, that certificate is not valid but I don’t care about it. It was not receiving alert for that before I just want to remove that cert validation.

How can I avoid that SSL validation? I don’t want the HTTPSDetector and HTTPSMonitor check that Cert.

There’s no way that I know of to skip certificate validation on the HTTPSMonitor. If you don’t care about monitoring that service on those nodes, remove it.

If you want to know less of "is this https and does it respond to HTTP GET" and more “is there something listening on port 443 on these devices” you could always pivot to the TcpMonitor.

It’s just weird that it was working before. There is no parameter that we can use to avoid that issue? I saw usesslfilter. I configure it to true on the Detector, but that do not change anything on the poller side.

I found it can be related with the upgrade of JAVA that happened.

I’m having that in the poller.log file. I was not having it before. DH ServerKeyExchange does not comply to algorithm constraints

But I really don’t know what I can do to tell JAVA to bypass certificate validation.

Ok. It is related with the latest version of JAVA. They removed the support of SSL3, TLS1.0 and TLS1.1.

So I tried different things to get it working, but still having the same issue. I remove the HTTPS monitoring on the affected device to avoid any alert, but if someone have a solution. just keep me posted.


Ah. That makes sense.

You may be able to re-enable those protocols by editing your JDK’s file:

# grep -A3 ^jdk.tls.disabledAlgorithms /usr/lib/jvm/java-11/conf/security/
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

The path at which that file lives varies by distro family, but the above should work for RHEL derivatives. Be aware of security concerns with these protocols. YMMV, No warranty expressed or implied, Here be dragons, etc, etc, etc.