SSLCert test dependency on HTTP? 🔗 link

wrote:

Hi all,


I have sslcert tests that keep going purple 30 minutes after the HTTP test
starts failing.  If the HTTP test is failing I know the sslcert test is
going to fail, so I would expect there to be an implied dependency on the
http test.  There doesn’t seem to be one though.  Is there any way to do
this in the configuration?  I tried adding a dependency but it doesn’t seem
to have any effect.


Thanks!

*Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate*
One La-Z-Boy Drive | Monroe, Michigan 48162  | ( XXX-XXX-XXXX | | )

This message is intended only for the individual or entity to which it is
addressed.  It may contain privileged, confidential information which is
exempt from disclosure under applicable laws.  If you are not the intended
recipient, you are strictly prohibited from disseminating or distributing
this information (other than to the intended recipient) or copying this
information.  If you have received this communication in error, please
notify us immediately by e-mail or by telephone at the above number. Thank
you.

From: Josh Luthman [mailto:user-4c45a83f15cb@xymon.invalid]
Sent: Wednesday, March 23, 2016 10:41 PM
To: Scot Kreienkamp <user-9678697f1438@xymon.invalid>
Cc: xymon at xymon.com
Subject: Re: [Xymon] SSLCert test dependency on HTTP?


Did you compile xymon with SSL?

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
On Mar 23, 2016 10:36 PM, "Scot Kreienkamp" <user-9678697f1438@xymon.invalid<mailto:user-9678697f1438@xymon.invalid>> wrote:
Hi all,

I have sslcert tests that keep going purple 30 minutes after the HTTP test starts failing.  If the HTTP test is failing I know the sslcert test is going to fail, so I would expect there to be an implied dependency on the http test.  There doesn’t seem to be one though.  Is there any way to do this in the configuration?  I tried adding a dependency but it doesn’t seem to have any effect.

Thanks!

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate

This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX

wrote:

Sorry, maybe I wasn’t clear… my question is more around the SSLCert
column.  The source of that column is the HTTP test, so when it fails of
course it can’t send a status on the SSLCert because there’s no SSLCert to
test on due to the failing HTTP test.  So I’d like it to not go purple.


*Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate*
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: XXX-XXX-XXXX | |
Mobile: XXXXXXXXXX | Email: user-9678697f1438@xymon.invalid

*From:* Josh Luthman [mailto:user-4c45a83f15cb@xymon.invalid]
*Sent:* Wednesday, March 23, 2016 10:41 PM
*To:* Scot Kreienkamp <user-9678697f1438@xymon.invalid>
*Cc:* xymon at xymon.com
*Subject:* Re: [Xymon] SSLCert test dependency on HTTP?


Did you compile xymon with SSL?

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX

On Mar 23, 2016 10:36 PM, "Scot Kreienkamp" <user-9678697f1438@xymon.invalid>
wrote:

Hi all,


I have sslcert tests that keep going purple 30 minutes after the HTTP test
starts failing.  If the HTTP test is failing I know the sslcert test is
going to fail, so I would expect there to be an implied dependency on the
http test.  There doesn’t seem to be one though.  Is there any way to do
this in the configuration?  I tried adding a dependency but it doesn’t seem
to have any effect.


Thanks!

*Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate*
One La-Z-Boy Drive | Monroe, Michigan 48162  | ( XXX-XXX-XXXX | | )
7349151444 | *  user-9678697f1438@xymon.invalid <%7BE-mail%7D>
www <http://www.la-z-boy.com/>.la-z-boy.com <http://www.la-z-boy.com/>; |
facebook. <https://www.facebook.com/lazboy>com
<https://www.facebook.com/lazboy>/ <https://www.facebook.com/lazboy>lazboy
<http://facebook.com/lazboy>; | twitter.com/lazboy | youtube.com/
<https://www.youtube.com/user/lazboy>lazboy
<https://www.youtube.com/user/lazboy>;


This message is intended only for the individual or entity to which it is
addressed.  It may contain privileged, confidential information which is
exempt from disclosure under applicable laws.  If you are not the intended
recipient, you are strictly prohibited from disseminating or distributing
this information (other than to the intended recipient) or copying this
information.  If you have received this communication in error, please
notify us immediately by e-mail or by telephone at the above number. Thank
you.

From: Josh Luthman [mailto:user-4c45a83f15cb@xymon.invalid]
Sent: Wednesday, March 23, 2016 11:05 PM
To: Scot Kreienkamp <user-9678697f1438@xymon.invalid>
Cc: xymon at xymon.com
Subject: RE: [Xymon] SSLCert test dependency on HTTP?


You could do nosslcert but I think depends= is better (make it depend on that http test).

Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
On Mar 23, 2016 10:45 PM, "Scot Kreienkamp" <user-9678697f1438@xymon.invalid<mailto:user-9678697f1438@xymon.invalid>> wrote:
Sorry, maybe I wasn’t clear… my question is more around the SSLCert column.  The source of that column is the HTTP test, so when it fails of course it can’t send a status on the SSLCert because there’s no SSLCert to test on due to the failing HTTP test.  So I’d like it to not go purple.
From: Josh Luthman [mailto:user-4c45a83f15cb@xymon.invalid<mailto:user-4c45a83f15cb@xymon.invalid>]
Sent: Wednesday, March 23, 2016 10:41 PM
To: Scot Kreienkamp <user-9678697f1438@xymon.invalid<mailto:user-9678697f1438@xymon.invalid>>

Subject: Re: [Xymon] SSLCert test dependency on HTTP?


Did you compile xymon with SSL?

Josh Luthman

XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
On Mar 23, 2016 10:36 PM, "Scot Kreienkamp" <user-9678697f1438@xymon.invalid<mailto:user-9678697f1438@xymon.invalid>> wrote:
Hi all,

I have sslcert tests that keep going purple 30 minutes after the HTTP test starts failing.  If the HTTP test is failing I know the sslcert test is going to fail, so I would expect there to be an implied dependency on the http test.  There doesn’t seem to be one though.  Is there any way to do this in the configuration?  I tried adding a dependency but it doesn’t seem to have any effect.

Thanks!

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162  | • XXX-XXX-XXXX<tel:XXX-XXX-XXXX> | | • 7349151444<tel:XXXXXXXXXX> | •  user-9678697f1438@xymon.invalid<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/>; | facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy>; | twitter.com/lazboy<https://twitter.com/lazboy>; | youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>;

This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right

implemented in the network module so it may not be able to apply to the
sslcert test.  I know Henrik had wanted to reimplement that higher up in

around to it.

JC, can I make a feature request?  Reimplement depends so it can work for
any test?

Thanks.

From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid]
Sent: Thursday, March 24, 2016 9:00 PM
To: Scot Kreienkamp; Josh Luthman
Cc: Xymon Mailing List
Subject: RE: [Xymon] SSLCert test dependency on HTTP?


On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:

As I said, I tried that and it didn’t seem to work.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right
I’ve told it that the sslcert test depends on the http test on itself.
It hasn’t had any effect though.  As I recall, the depends is
implemented in the network module so it may not be able to apply to the
sslcert test.  I know Henrik had wanted to reimplement that higher up in
the processing order so it could apply to any test.  Guess he didn’t get
around to it.

JC, can I make a feature request?  Reimplement depends so it can work for
any test?

Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own
-- it's created if xymonnet does an SSL transaction, but not otherwise. So
if there's no valid https connection made (because the site is down) and
nothing else is being tested via SSL on the same host (eg, smtps, imaps,
ldaps, ...) then no sslcert test gets created at all. Hence the purple.
And, yes, since xymonnet is doing the depends calculation it doesn't even
get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be
possible to default to a dummy sslcert record if we think we're doing an
SSL exchange (clear, most likely), which could solve this specific issue.


The broader question on 'depends' calculation in the core xymond is a bit
trickier. Well, that's not right. It's tricky to do without adversely
impacting performance by causing additional scans for incoming status
messages. It's unimportant in smaller installs but the math adds up in
larger ones.

Having dependency arbitrary dependency calculation done by the test
submitter reduces xymond's load back to linear scans, but it also prevents
depends from working as flexibly as it should, as you've seen.


There are some of the bits of logic that might be able to be consolidated
together, however. Having a host-level enable/disable option (instead of
test-level ones), and taking CONN_down = (red/purple->clear) logic to the
core (and perhaps allowing that test to be selectable on a per-host basis)
could get us close while still being efficient.


Regards,
-jc


This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

On 03/28/2016 04:12 PM, Scot Kreienkamp wrote:

JC,

I think I have found either a bug or at least an inconsistency
related to this.  On three hosts that have SSLCert tests on them and
are currently purple, when I query them with xymondboard I get green
status back.

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Ryan Novosielski
Sent: Monday, March 28, 2016 4:15 PM
To: xymon at xymon.com
Subject: Re: [Xymon] SSLCert test dependency on HTTP?


On 03/28/2016 04:12 PM, Scot Kreienkamp wrote:

JC,

I think I have found either a bug or at least an inconsistency

related to this.  On three hosts that have SSLCert tests on them and

are currently purple, when I query them with xymondboard I get green

status back.

Are you certain that it's a green status, not a purple status that shows

the last known status of green?


--

____

|| \\ University | Sr. Technologist - 973/972.0922 (2x0922) ~*~ RBHS Campus

||  \\    of NJ  | Office of Advanced Research Computing - MSB C630, Newark

     `'


This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Scot Kreienkamp
Sent: Monday, March 28, 2016 4:13 PM
To: J.C. Cleaver; Josh Luthman
Cc: Xymon Mailing List
Subject: Re: [Xymon] SSLCert test dependency on HTTP?

JC,

I think I have found either a bug or at least an inconsistency related to this.  On three hosts that have SSLCert tests on them and are currently purple, when I query them with xymondboard I get green status back.


-----Original Message-----
From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid]
Sent: Thursday, March 24, 2016 9:00 PM
To: Scot Kreienkamp; Josh Luthman
Cc: Xymon Mailing List
Subject: RE: [Xymon] SSLCert test dependency on HTTP?


On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:

As I said, I tried that and it didn’t seem to work.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right
I’ve told it that the sslcert test depends on the http test on itself.
It hasn’t had any effect though.  As I recall, the depends is
implemented in the network module so it may not be able to apply to the
sslcert test.  I know Henrik had wanted to reimplement that higher up in
the processing order so it could apply to any test.  Guess he didn’t get
around to it.

JC, can I make a feature request?  Reimplement depends so it can work for
any test?

Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own
-- it's created if xymonnet does an SSL transaction, but not otherwise. So
if there's no valid https connection made (because the site is down) and
nothing else is being tested via SSL on the same host (eg, smtps, imaps,
ldaps, ...) then no sslcert test gets created at all. Hence the purple.
And, yes, since xymonnet is doing the depends calculation it doesn't even
get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be
possible to default to a dummy sslcert record if we think we're doing an
SSL exchange (clear, most likely), which could solve this specific issue.


The broader question on 'depends' calculation in the core xymond is a bit
trickier. Well, that's not right. It's tricky to do without adversely
impacting performance by causing additional scans for incoming status
messages. It's unimportant in smaller installs but the math adds up in
larger ones.

Having dependency arbitrary dependency calculation done by the test
submitter reduces xymond's load back to linear scans, but it also prevents
depends from working as flexibly as it should, as you've seen.


There are some of the bits of logic that might be able to be consolidated
together, however. Having a host-level enable/disable option (instead of
test-level ones), and taking CONN_down = (red/purple->clear) logic to the
core (and perhaps allowing that test to be selectable on a per-host basis)
could get us close while still being efficient.


Regards,
-jc


This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

From: Scot Kreienkamp
Sent: Monday, March 28, 2016 4:42 PM
To: Scot Kreienkamp; J.C. Cleaver; Josh Luthman
Cc: Xymon Mailing List
Subject: RE: [Xymon] SSLCert test dependency on HTTP?

HTTP exhibits the same behavior.  I don't have any other purple tests to try this on.


-----Original Message-----
From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Scot Kreienkamp
Sent: Monday, March 28, 2016 4:13 PM
To: J.C. Cleaver; Josh Luthman
Cc: Xymon Mailing List
Subject: Re: [Xymon] SSLCert test dependency on HTTP?

JC,

I think I have found either a bug or at least an inconsistency related to this.  On three hosts that have SSLCert tests on them and are currently purple, when I query them with xymondboard I get green status back.


-----Original Message-----
From: J.C. Cleaver [mailto:user-87556346d4af@xymon.invalid]
Sent: Thursday, March 24, 2016 9:00 PM
To: Scot Kreienkamp; Josh Luthman
Cc: Xymon Mailing List
Subject: RE: [Xymon] SSLCert test dependency on HTTP?


On Thu, March 24, 2016 6:06 am, Scot Kreienkamp wrote:

As I said, I tried that and it didn’t seem to work.

depends=(sslcert:lzbvidmpdoim2.na.lzb.hq/http)

The server is lzbvidmpdoim2.na.lzb.hq, so if I have that constructed right
I’ve told it that the sslcert test depends on the http test on itself.
It hasn’t had any effect though.  As I recall, the depends is
implemented in the network module so it may not be able to apply to the
sslcert test.  I know Henrik had wanted to reimplement that higher up in
the processing order so it could apply to any test.  Guess he didn’t get
around to it.

JC, can I make a feature request?  Reimplement depends so it can work for
any test?

Thanks.

'sslcert' is a little odd in that it's not really a normal test of its own
-- it's created if xymonnet does an SSL transaction, but not otherwise. So
if there's no valid https connection made (because the site is down) and
nothing else is being tested via SSL on the same host (eg, smtps, imaps,
ldaps, ...) then no sslcert test gets created at all. Hence the purple.
And, yes, since xymonnet is doing the depends calculation it doesn't even
get to that point.

I'll have to take a look at the xymonnet code, but I believe it might be
possible to default to a dummy sslcert record if we think we're doing an
SSL exchange (clear, most likely), which could solve this specific issue.


The broader question on 'depends' calculation in the core xymond is a bit
trickier. Well, that's not right. It's tricky to do without adversely
impacting performance by causing additional scans for incoming status
messages. It's unimportant in smaller installs but the math adds up in
larger ones.

Having dependency arbitrary dependency calculation done by the test
submitter reduces xymond's load back to linear scans, but it also prevents
depends from working as flexibly as it should, as you've seen.


There are some of the bits of logic that might be able to be consolidated
together, however. Having a host-level enable/disable option (instead of
test-level ones), and taking CONN_down = (red/purple->clear) logic to the
core (and perhaps allowing that test to be selectable on a per-host basis)
could get us close while still being efficient.


Regards,
-jc


This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.

Yep, verified that it actually thinks it’s green.

When I retrieve a list of just the host and test it reports green.

[root at monvxymon ~]# xymon 127.0.0.1 "xymondboard host=lzbvidm test=sslcert"

lzbvidm |sslcert|green||1458745371|1459196141|1459197941|0|0|10.1.1.200||green Mon Mar 28 16:15:20 2016

From: Xymon [mailto:xymon-bounces at xymon.com] On Behalf Of Henrik Størner
Sent: Monday, March 28, 2016 4:54 PM
To: xymon at xymon.com
Subject: Re: [Xymon] SSLCert test dependency on HTTP?


Den 28-03-2016 kl. 22:26 skrev Scot Kreienkamp:

Yep, verified that it actually thinks it’s green.


When I retrieve a list of just the host and test it reports green.


[root at monvxymon ~]# xymon 127.0.0.1 "xymondboard host=lzbvidm test=sslcert"

lzbvidm |sslcert|green||1458745371|1459196141|1459197941|0|0|10.1.1.200||green Mon Mar 28 16:15:20 2016
Those three numbers are 1) timestamp when color last changed, 2) time the latest status message was received, and 3) time when status is no longer valid (i.e. when it should go purple).

The timestamp "1459197941" is Mar 28 20:45:41 UTC, so if you are checking the status after that time then it should be purple.

I don't see anything in the web status display code that can make the page show up as purple without a purple status being reported from xymondboard... So this is weird.


Regards,
Henrik

This message is intended only for the individual or entity to which it is addressed.  It may contain privileged, confidential information which is exempt from disclosure under applicable laws.  If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information.  If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you.