Your message dated Fri, 21 Feb 2025 12:27:44 +0100
with message-id <[email protected]>
and subject line Re: [Pkg-nagios-devel] Bug#1098492: icinga2-common: Please
support check_http's --continue-after-certificate
has caused the Debian Bug report #1098492,
regarding icinga2-common: Please support check_http's
--continue-after-certificate
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1098492: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098492
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: icinga2-common
Version: 2.13.6-2+deb12u2
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]
Hello,
if the check_http plugin uses -C (aka $http_certificate$) it ignores the
URL to check (-u aka $http_uri$). However if you pass
--continue-after-certificate it does both checks.
Please consider the following patch:
diff --git a/itl/command-plugins.conf b/itl/command-plugins.conf
index 4d9ae066d424..28bd3fb438f3 100644
--- a/itl/command-plugins.conf
+++ b/itl/command-plugins.conf
@@ -544,6 +544,10 @@ object CheckCommand "http" {
set_if = "$http_verify_host$"
description = "Verify SSL certificate is for the -H
hostname (with --sni and -S)"
}
+ "--continue-after-certificate" = {
+ set_if = "$http_certificate_continue$"
+ description = "Allows the HTTP check to continue after
performing the certificate check. (Only effective with http_certificate.)"
+ }
}
vars.http_address = "$check_address$"
I tested that on stable, but the patch is against the git packaging
repo. Maybe something more sophisticated would also work, something
like: pass --continue-after-certificate if http_certificate and
at least one of { http_uri, http_string, http_method, http_post,
http_expect_body_regex, ...} are set. But my icinga foo isn't good
enough for that.
Thanks
Uwe
-- System Information:
Debian Release: trixie/sid
APT prefers stable-security
APT policy: (700, 'stable-security'), (700, 'stable-debug'), (700, 'stable'),
(650, 'testing-debug'), (650, 'testing'), (600, 'unstable'), (500,
'unstable-debug'), (1, 'experimental')
Architecture: arm64 (aarch64)
Kernel: Linux 6.12.9-arm64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_CRAP
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages icinga2-common depends on:
ii adduser 3.134
ii lsb-release 12.0-1
ii sysvinit-utils 3.06-4
Versions of packages icinga2-common recommends:
ii logrotate 3.21.0-1
icinga2-common suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On 2/21/25 12:03 PM, Uwe Kleine-König wrote:
I tested that on stable, but the patch is against the git packaging
repo. Maybe something more sophisticated would also work, something
like: pass --continue-after-certificate if http_certificate and
at least one of { http_uri, http_string, http_method, http_post,
http_expect_body_regex, ...} are set. But my icinga foo isn't good
enough for that.
Consider the CheckCommand objects provided by Icinga as mere suggestions or
starting points for the objects in your own configuration.
Because the plugins are not shipped with icinga2 there is a mismatch between
the options supported by the plugins and those defined in the icinga
configuration.
It would be better to ship the command definitions with the plugins as that
makes it easier to keep them in sync when options are added/removed, but I
don't see this happening.
I just copy the CheckCommand objects from ITL to my own configuration and
customize them to match the version of the plugin I'm running, those might the
ones from monitoring-plugins or elsewhere.
As such, I don't want to carry your patch in the Debian package. You should
consider upstreaming it, but be prepared to have it rejected if the option is
only provided by check_http from monitoring-plugins and not by the one from
nagios-plugins or vice versa.
Kind Regards,
Bas
--
GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
--- End Message ---