UNKNOWN: 500 Can't connect to X.X.X.X:8443 (certificate verify failed)

🎁

https://docs.centreon.com/pp/integrations/plugin-packs/getting-started/how-to-guides/troubleshooting-plugins/#unknown-500-cant-connect-to-ip_addressport-extra_reason_if_available

😊

Already try those arguments but did not work.

So could you be more precise according your trouble ?
Is it between a poller and a client ?

If this is the case, into the link you’ve got the tips to follow to add the keys.

HTH

Pascal

Are you sure that your secure connection on the target, using the 8443 port get a certificat ?

hi

the one that returns nothing is the right syntax, at least that’s what I have in all my nsclient restapi calls

you  just forgot the last double quote after none

be aware of the single quotes in the multiple “--args” options, the “--ssl-opt” is an argument you need to pass to the linux perl command, if you include it in a --arg option it will be passed to the windows command

in your last command everything in bold is in the last --arg, all is between 2 single quotes ‘ ‘

(notice how everything inside this block use double quotes “”)

/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***'  --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services'  --arg='  --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /[a-zA-Z]/" --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE" --verbose'

here is the same command, but I took the ssl options out of the last --arg:

/usr/lib/centreon/plugins//centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='10.XX.10.XX' --port='8443' --proto='https' --legacy-password='***'  --ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"  --command=check_centreon_plugins --arg='apps::microsoft::exchange::local::plugin' --arg='services'  --arg='  --warning="" --critical="%{requiredservicesrunning} =~ /True/i and %{servicesnotrunning} =~ /[a-zA-Z]/" --verbose’ 

usually you give this --ssl-opt to the host extra options macro, so it is placed automatically and you don’t have to do it manually

Hello

 so I've tried to rework the order with some logic

please DON’T

there is a reason for single quote and double quotes, remember the commad is generated by php from a mysql database, the it is run on a linux in bash, will go through a webservice on windows, that will then run a command based on some parameters….

do not play with quotes. (single quotes allow the bash to put double quotes in what it will send to windows)

back to the basic problem, there is a centreon command in the database, it is used by a service template in a host template using windows nrpe

you should not have to use the command manually, and here is how you setup the ssl-opt properly

On centreon UI you should go in “configuration / Hosts / Template”

look for “OS-Windows-NSClient-05-Restapi-custom”

in the Custom macros you should have this, notice the one in white I modified with the ssl-opt

I put that in the box for the NSCPRESTAPIEXTRAOPTIONS

--ssl-opt="SSL_verify_mode => SSL_VERIFY_NONE"

this will be put automatically in all command run on a host with that template.

I don’t know if you have put the windows nsclient template or just the app-exchange template, but you should have a “OS” template on your host before the “app” template

the “OS” initialize a lot of macro/options

your host should have this templates (in this order) 

here the “command” for exchange you are using 

the ssl-opt will be but where I marked in yellow, everything else you have pasted here is genrated from that, 

so once again, don’t play with the quotes, they are setup in this command 

finally, if you don’t want to use host template, ok fine, but you must add the custom macro for the nsclient option on the host, including the one with the extra options I mentionned above

ah, 403 Forbidden is better (i guess)

this could be multiple cause:

1 tcp port used by another process

could you stop “nsclient” service on the windows host and check with 

netstat -an | finstr 8443

if there is a line in the ouput of the command, then you have something else listening on the tcp port 8443 (usually a java/tomcat service, or another software, you can check in the windows ressource monitor)

if that’s the case, you would need to change the http port by something unused (I use 5443 for example) in nsclient.ini and override the custom macro for the port and put the same value (5443)

you can change the port in the nsclient.ini

[/settings/WEB/server]

port = 5443s

2 wrong password

in the nsclient.ini, section web server

[/settings/WEB/server]

password = xyz

this the “legacy password”, make sure the value match your ** password

3 address of the centreon poller not allowed in the nsclient.ini

also in the nsclient.ini, section 

[/settings/WEB/server]

; ALLOWED HOSTS - A coma separated list of allowed hosts. You can use netmasks (/ syntax) or * to create ranges.
allowed hosts = 10.10.10.1, mypoller, 192.168.10.*

Allowed hosts should include or match exactly your poller (ip address, range, or dns name)

@christophe.niel-ACT thank you , now the message has changed and i feel like we re closed to fix it.

i tried all commands with --debug on the central

i got the same debug message at each time

======> response done
HTTP/1.0 403 Forbidden
Content-Length: 22
Client-Date: Thu, 05 Oct 2023 14:01:12 GMT
Client-Peer: 10.3.10.93:8443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /CN=localhost
Client-SSL-Cert-Subject: /CN=localhost
Client-SSL-Cipher: AES256-GCM-SHA384
Client-SSL-Socket-Class: IO::Socket::SSL
Client-SSL-Version: TLSv1_2

403 Please login first
 

What this means?

Where to login?

when you got the “unknown error : cannot load module --plugin….”, that was the most correct thing you got to.

This it is NOT the same error as 403 forbidden, it means “you managed to connect, but there is an issue on you windows host and the exchange plugin is not working”

can you please be sure to be at that point consistently?, it was a regression when you got a 403 on your last post

when you are sure to get that “cannot load module”, there is more debugging to do apparently.

next is your installation of centreon-plugins.exe in your nsclient, and maybe it is not up to date :

easy fix, just download it from here : Releases · centreon/centreon-nsclient-build (github.com) and put it in the right nsclient folder.

or maybe there is an issue on you windows host preventing the plugin to create its temporary working folder in c:\windows\temp\par----- (which could come from an antivirus for example)

I didn’t want to delve here.

I don’t know your infrastructure, do you have a central with pollers? if yes you should run the command from the poller, not the central (there may be an issue with the ‘allowed host’ in the nsclient.ini, or local windows FW issues)

and whatever your infra is like, there may be issue with command line you typed in the shell, be sure to get the one generated by centreon (from the resource detail panel in the bottom with the “copy” button), and be sure to be admin to be able to get the correct password in that command line

but that is a different issue ; it doesn’t help for the debugging of the plugin, but if you get the cannot load module on the web interface at least something is working

for debugging purpose, please paste this command line (hide your password), I have an exchange somewhere, I’ll try your command “as is” with my password and IP

you went back  to “can’t connect” and “connexion refused”, which is not good. replacing centreon-plugins.exe in the script subfolder should not impact NSCLIENT, you don’t even have to restart it.

if you didn’t modify the nsclient.ini this really looks like there is something interfering with the https on tcp8443 on your windows hosts

this is a network problem or config problem on the windows side :/ (are you sure about the cause “1” I listed in a previous post above, about multiple service/program using the TCP8443 port?)