[Nginx] Allow to disable SSL Certificate validation

[miketheman]

Currently, there is no way that I could find to tell the nginx check to attempt to use a status endpoint located behind an SSL-enabled service, and ignore some of the SSL validations.

Consider a host with:

- nginx_status_url: https://localhost/nginx_status/

raises:

- instance #0 [ERROR]: '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)'

This is also likely to be the case when a certificate is self-signed.

It appears that a library replacement Agent 5.3.0 from the changes here: 3c95374 - but Agent 5.2.2 exhibits the same behavior, so I don't think that change introduced the problem - it might have been there for a while. Python 2.7.3

This is likely due to the OpenSSL version compiled into Python - an older version allowed the insecure access.

$ /usr/bin/python --version
Python 2.7.3
$ /usr/bin/python -c 'import ssl; print ssl.OPENSSL_VERSION' --version
OpenSSL 1.0.1 14 Mar 2012
$ /opt/datadog-agent/embedded/bin/python --version
Python 2.7.9
$ /opt/datadog-agent/embedded/bin/python -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 1.0.1m 19 Mar 2015

$ /usr/bin/python -c "import urllib2;req = urllib2.urlopen('https://localhost/nginx_status/');print req.read()"
Active connections: 1
server accepts handled requests
 146 146 6
Reading: 0 Writing: 1 Waiting: 0
$ /opt/datadog-agent/embedded/bin/python -c "import urllib2;req = urllib2.urlopen('https://localhost/nginx_status/');print req.read()"
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/opt/datadog-agent/embedded/lib/python2.7/urllib2.py", line 154, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/datadog-agent/embedded/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/opt/datadog-agent/embedded/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/opt/datadog-agent/embedded/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/opt/datadog-agent/embedded/lib/python2.7/urllib2.py", line 1240, in https_open
    context=self._context)
  File "/opt/datadog-agent/embedded/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>

I'll note that using requests 2.7.0 on older Python 2.7.3 raises the same issue - so it's even more likely a bug in urllib2/ssl handling somewhere.

The http_check has, and had before the disable_ssl_validation parameter - one solution would be to add that type of configuration flag for other http-based checks that used to use httplib2/urllib2 that allowed insecure requests without requiring an operator override.

[miketheman]

@remh Any update on this? It's preventing the ability to monitor https-only nginx endpoints on localhost.

[BretFisher]

Same issue here, sadness.

[miketheman]

I hacked around it locally, not a great solution, but:

            r = requests.get(url, auth=auth, headers=headers(self.agentConfig), verify=False)

I think I'd rather this be a parameter I can pass into the instances object at config time, but I didn't dig in to how to do that yet.

Ref:

dd-agent/checks.d/nginx.py

Line 66 in ab469ec

r = requests.get(url, auth=auth, headers=headers(self.agentConfig))

Ref: http://docs.python-requests.org/en/latest/user/advanced/#ssl-cert-verification

[remh]

Thanks for the feedback everyone, we will fix this issue for version 5.5.0

[JohnLZeller]

PR is ready for review: #1782

[yannmh]

Closed with #1782