Ipv6 issue with url check
Issue #190
resolved
Since ipv6 support was introduced, I am having issues similar to the ipv6 issue that was solved by allowing ipv4 or ipv6 on port checks and ping checks. This needs to be added to url checks however, as my system gets a valid ipv6 ip, but does not have a route to ipv6 so I need to check ipv4 only.
EDT Apr 27 12:57:27] debug : Socket test failed for [10.10.10.10]:443 -- HTTP: error sending data -- Success
[EDT Apr 27 12:57:27] debug : Socket test failed for [FE80::0202:B3FF:FE1E:8329]:443 -- Network is unreachable
[EDT Apr 27 12:57:27] debug : Socket test failed for [FE80::0202:B3FF:FE1E:8329]:443 -- Network is unreachable
[EDT Apr 27 12:57:27] error : 'example.com' failed protocol test [HTTP] at [example.com]:443/token [TCPSSL/IP] -- Network is unreachable
Comments (8)
-
repo owner
-
reporter
Well, true, but trying to get to the bottom of this, and ipv6 will not work with this server. I didn't see a way to use the url check to only use ipv4.
-
reporter
I'm also getting this which seems odd..
[EDT Apr 27 12:57:27] error : SSL: write error -- error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error [EDT Apr 27 12:57:27] debug : Socket test failed for [10.10.10.10]:443 -- HTTP: error sending data -- Success [EDT Apr 27 12:57:27] error : SSL: write error -- error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error [EDT Apr 27 12:57:27] debug : Socket test failed for [10.10.10.10]:443 -- HTTP: error sending data -- Success -
repo owner
It's not possible to set resolving to IPv4 only on monit ... you can either use the IP address in the URL check directly (if possible) or if your machine doesn't use IPv6, you may disable it completely - Monit uses AI_ADDRCONFIG flag when it resolves the hostname using getaddrinfo() ... if the machine has no IPv6 interface, then this option will make getaddrinfo() to not return the IPv6 addresses at all.
Regarding the SSL error ... it seems as SSL version or ciphers incompatibility - please can you post full test from monit configuration file which produces this error? Also which Monit version it is? (monit -V) and what OpenSSL version it is linked to?
-
reporter
Is there a way to ignore the ipv6 failure?
Monit version is 5.13
This is Monit version 5.13 Copyright (C) 2001-2015 Tildeslash Ltd. All Rights Reserved.The check is as follows,
check host example.com with address example.com if failed url https://example.com/token with timeout 15 seconds for 3 cycles then alertIf you would like I can send you the actual address in private, but the url is behind cloudflare, so anything with SSL through cloudflare should suffice.
Version of openssl from ubuntu utopic:
openssl:amd64/utopic-security 1.0.1f-1ubuntu9.4
-
repo owner
Thanks for data. Please can you send the real address to support@mmonit.com?
The Monit version 5.13 was not officially released yet ... if you use the development source code from bitbucket, it may yet change before the final version is finished.
-
reporter
Right, I used the dev source from bitbucket to see if it fixed the issue, sending you the address.
-
repo owner
- changed status to resolved
Fixed Issue
#190: Add support for ServerNameIndication TLS extension to support name based virtual SSL servers.→ <<cset f4b15def992f>>
- Log in to comment
I'm not sure what exactly the problem is ... according to the debug output, your host resolved to two interfaces: 10.10.10.10 (IPv4) and because it failed, monit tried the next one: FE80::0202:B3FF:FE1E:8329 (IPv6), but it failed too => the test would fail even if the host resolved to IPv4 only.