munin-monitoring / munin / 17416987188
46%

DEFAULT BRANCH: master
Ran
Jobs 1
Files 20
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 46.253%. Remained the same
17416987188

push

github

web-flow 
Enable wget --no-check-certificate option in http_loadtime plugin (#1664)

This patch disables SSL/TLS certificate validation in the http_loadtime
plugin when wget establishes an HTTPS connection. This prevents the
plugin from considering an untrusted certificate a failure. Which allows
the plugin to work with HTTPS protocol servers, even when they supply a
self-signed, expired, or otherwise invalid certificate.

### My case
I am using munin's http_loadtime plugin to monitor a
[pi-hole](https://pi-hole.net/) server. Which creates a self-signed TLS
certificate to support HTTPS. The certificate is created and managed by
3rd-party software. I have enabled automatic redirection of HTTP to
HTTPS in the web server configuration.

### Problem
The wget program will attempt to verify certificates by default. So wget
will exit with an error when the http_loadtime plugin tries to establish
an HTTPS connection with a server providing an untrusted certificate.
Which causes the plugin to consider the operation failed.

This means that the plugin will not be automatically suggested/linked
during the `munin-node-configure` step. And if manually enabled, it will
exit immediately after the connection is initialized - so the `value`
metric will not include the transmit time for downloading any of the
actual data at the configured URL.

### Solution
Conveniently, wget offers an option to disable certificate validation -
[`--no-check-certificate`](https://www.gnu.org/software/wget/manual/wget.html#index-SSL-certificate_002c-check).
When I enable this option then the http_loadtime plugin works fine with
self-signed certificates.

In my case I was able to work around the problem by trusting the
certificate in the operating system. You could also potentially work
around this problem by setting the option in a wget config file for the
root user. But those are not universal solutions. It would be difficult
to use certificate trust to work around this problem with certificates
... (continued)

1043 of 2255 relevant lines covered (46.25%)

275.02 hits per line

Jobs
ID Job ID Ran Files Coverage
1 17416987188.1 20
46.25
 GitHub Action Run
Source Files on build 17416987188