Merge pull request #441 from Icinga:feature/adds_support_for_http_check_to_disable_tls_checks

Feature: Adds support for `Invoke-IcingaCheckHTTPStatus` to allow for ignoring SSL/TLS errors

Adds support for `Invoke-IcingaCheckHTTPStatus` to allow for ignoring SSL/TLS errors

Author: LordHepipud

config/director/Invoke-IcingaCheckHTTPStatus.json

@@ -178,6 +178,10 @@ object CheckCommand "Invoke-IcingaCheckHTTPStatus" {
             value = "$IcingaCheckHTTPStatus_Object_Critical$"
             order = 3
         }
+        "-IgnoreSSL" = {
+            set_if = "$IcingaCheckHTTPStatus_Switchparameter_IgnoreSSL$"
+            order = 99
+        }
         "-Headers" = {
             description = "Used to specify headers as Array. Like: -Headers 'Accept:application/json'"
             value = {{
@@ -266,6 +270,9 @@ object CheckCommand "Invoke-IcingaCheckHTTPStatus" {
         "AddOutputContent" = {
             set_if = "$IcingaCheckHTTPStatus_Switchparameter_AddOutputContent$"
         }
+        "IgnoreSSL" = {
+            set_if = "$IcingaCheckHTTPStatus_Switchparameter_IgnoreSSL$"
+        }
         "ProxyUsername" = {
             value = "$IcingaCheckHTTPStatus_String_ProxyUsername$"
         }
@@ -299,6 +306,7 @@ object CheckCommand "Invoke-IcingaCheckHTTPStatus" {
     }
     vars.IcingaCheckHTTPStatus_Switchparameter_AddOutputContent = false
     vars.IcingaCheckHTTPStatus_Switchparameter_ConnectionErrAsCrit = false
+    vars.IcingaCheckHTTPStatus_Switchparameter_IgnoreSSL = false
     vars.ifw_api_command = "invoke-icingacheckhttpstatus"
     vars.IcingaCheckHTTPStatus_Switchparameter_Negate = false
 }

config/director/Plugins_Bundle.json

@@ -871,6 +871,10 @@ object CheckCommand "Invoke-IcingaCheckHTTPStatus" {
             value = "$IcingaCheckHTTPStatus_Object_Critical$"
             order = 3
         }
+        "-IgnoreSSL" = {
+            set_if = "$IcingaCheckHTTPStatus_Switchparameter_IgnoreSSL$"
+            order = 99
+        }
         "-Headers" = {
             description = "Used to specify headers as Array. Like: -Headers 'Accept:application/json'"
             value = {{
@@ -959,6 +963,9 @@ object CheckCommand "Invoke-IcingaCheckHTTPStatus" {
         "AddOutputContent" = {
             set_if = "$IcingaCheckHTTPStatus_Switchparameter_AddOutputContent$"
         }
+        "IgnoreSSL" = {
+            set_if = "$IcingaCheckHTTPStatus_Switchparameter_IgnoreSSL$"
+        }
         "ProxyUsername" = {
             value = "$IcingaCheckHTTPStatus_String_ProxyUsername$"
         }
@@ -992,6 +999,7 @@ object CheckCommand "Invoke-IcingaCheckHTTPStatus" {
     }
     vars.IcingaCheckHTTPStatus_Switchparameter_AddOutputContent = false
     vars.IcingaCheckHTTPStatus_Switchparameter_ConnectionErrAsCrit = false
+    vars.IcingaCheckHTTPStatus_Switchparameter_IgnoreSSL = false
     vars.ifw_api_command = "invoke-icingacheckhttpstatus"
     vars.IcingaCheckHTTPStatus_Switchparameter_Negate = false
 }
@@ -3648,7 +3656,7 @@ object CheckCommand "Invoke-IcingaCheckUNCPath" {
 
     arguments += {
         "-WarningTotal" = {
-            description = "A warning threshold for the shares total free space in byte units, like '50GB:' Please note that this value is decreasing over time, therefor you will have to use the plugin handler and add ':' at the end of your input to check for 'current value < threshold' like in the previous example  Allowed units: B, KB, MB, GB, TB, PB, KiB, MiB, GiB, TiB, PiB"
+            description = "A warning threshold for the shares free space in either % or byte units, like '20%:' or '50GB:' Please note that this value is decreasing over time, therefor you will have to use the plugin handler and add ':' at the end of your input to check for 'current value < threshold' like in the previous example  Allowed units: %, B, KB, MB, GB, TB, PB, KiB, MiB, GiB, TiB, PiB"
             value = "$IcingaCheckUNCPath_Object_WarningTotal$"
             order = 8
         }
@@ -3955,7 +3963,7 @@ object CheckCommand "Invoke-IcingaCheckICMP" {
 
     arguments += {
         "-WarningPl" = {
-            description = "Threshold on which the plugin will return 'WARNING' for possible packet loss in %"
+            description = "Threshold on which the plugin will return 'WARNING' for the response time in ms"
             value = "$IcingaCheckICMP_Object_WarningPl$"
             order = 4
         }
@@ -4969,7 +4977,7 @@ object CheckCommand "Invoke-IcingaCheckUpdates" {
 
     arguments += {
         "-WarningRollups" = {
-            description = "The warning threshold for the rollup update count on the Windows machine"
+            description = "The warning threshold for the total pending update count on the Windows machine"
             value = "$IcingaCheckUpdates_Object_WarningRollups$"
             order = 7
         }
@@ -4992,7 +5000,7 @@ object CheckCommand "Invoke-IcingaCheckUpdates" {
             order = 12
         }
         "-WarningDefender" = {
-            description = "The warning threshold for the Microsoft Defender update count on the Windows machine"
+            description = "The warning threshold for the total pending update count on the Windows machine"
             value = "$IcingaCheckUpdates_Object_WarningDefender$"
             order = 9
         }
@@ -5015,7 +5023,7 @@ object CheckCommand "Invoke-IcingaCheckUpdates" {
             order = 100
         }
         "-WarningOther" = {
-            description = "The warning threshold for all other updates on the Windows machine"
+            description = "The warning threshold for the total pending update count on the Windows machine"
             value = "$IcingaCheckUpdates_Object_WarningOther$"
             order = 11
         }
@@ -5067,7 +5075,7 @@ object CheckCommand "Invoke-IcingaCheckUpdates" {
             order = 2
         }
         "-WarningSecurity" = {
-            description = "The warning threshold for the security update count on the Windows machine"
+            description = "The warning threshold for the total pending update count on the Windows machine"
             value = "$IcingaCheckUpdates_Object_WarningSecurity$"
             order = 5
         }

config/icinga/Invoke-IcingaCheckHTTPStatus.conf

@@ -25,6 +25,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 ### Enhancements
 
 * [#408](https://github.com/Icinga/icinga-powershell-plugins/issues/408) Adds support for `Invoke-IcingaCheckDiskHealth` to filter disks by their friendly name
+* [#430](https://github.com/Icinga/icinga-powershell-plugins/issues/430) Adds support for `Invoke-IcingaCheckHTTPStatus` to allow for ignoring SSL/TLS errors
 
 ## 1.13.0 (2025-01-30)
 

config/icinga/Plugins_Bundle.conf

@@ -32,6 +32,7 @@ No special permissions required.
 | Negate | SwitchParameter | false | False | A switch used to invert check results. |
 | AddOutputContent | SwitchParameter | false | False | Adds the returned content of a website to the plugin output for debugging purpose |
 | ConnectionErrAsCrit | SwitchParameter | false | False | By default the plugin will return UNKNOWN in case a connection to a webserver is not possible. By using this<br /> flag, the result will be modified from UNKNOWN to CRITICAL |
+| IgnoreSSL | SwitchParameter | false | False | Use this flag to ignore SSL errors in case your endpoints are not trusted by the client or you are using self-signed certificates. |
 | NoPerfData | SwitchParameter | false | False | Used to disable PerfData. |
 | Verbosity | Int32 | false | 0 | Changes the behavior of the plugin output which check states are printed:<br /> 0 (default): Only service checks/packages with state not OK will be printed<br /> 1: Only services with not OK will be printed including OK checks of affected check packages including Package config<br /> 2: Everything will be printed regardless of the check state<br /> 3: Identical to Verbose 2, but prints in addition the check package configuration e.g (All must be [OK]) |
 | ThresholdInterval | String |  |  | Change the value your defined threshold checks against from the current value to a collected time threshold of the Icinga for Windows daemon, as described [here](https://icinga.com/docs/icinga-for-windows/latest/doc/110-Installation/06-Collect-Metrics-over-Time/). An example for this argument would be 1m or 15m which will use the average of 1m or 15m for monitoring. |

doc/31-Changelog.md

@@ -66,6 +66,8 @@
 .PARAMETER ConnectionErrAsCrit
     By default the plugin will return UNKNOWN in case a connection to a webserver is not possible. By using this
     flag, the result will be modified from UNKNOWN to CRITICAL
+.PARAMETER IgnoreSSL
+    Use this flag to ignore SSL errors in case your endpoints are not trusted by the client or you are using self-signed certificates.
 .PARAMETER NoPerfData
     Used to disable PerfData.
 .PARAMETER Verbosity
@@ -105,12 +107,13 @@ function Invoke-IcingaCheckHTTPStatus()
         [switch]$Negate              = $FALSE,
         [switch]$AddOutputContent    = $FALSE,
         [switch]$ConnectionErrAsCrit = $FALSE,
+        [switch]$IgnoreSSL           = $FALSE,
         [switch]$NoPerfData,
         [ValidateSet(0, 1, 2, 3)]
         [int]$Verbosity              = 0
     )
 
-    $HTTPData = (Get-IcingaCheckHTTPQuery -Url $Url -VHost $VHost -Headers $Headers -Timeout $Timeout -Username $Username -Password $Password -ProxyUsername $ProxyUsername -ProxyPassword $ProxyPassword -ProxyServer $ProxyServer -Content $Content -StatusCode $StatusCode -ConnectionErrAsCrit:$ConnectionErrAsCrit);
+    $HTTPData = (Get-IcingaCheckHTTPQuery -Url $Url -VHost $VHost -Headers $Headers -Timeout $Timeout -Username $Username -Password $Password -ProxyUsername $ProxyUsername -ProxyPassword $ProxyPassword -ProxyServer $ProxyServer -Content $Content -StatusCode $StatusCode -ConnectionErrAsCrit:$ConnectionErrAsCrit -IgnoreSSL:$IgnoreSSL -Verbose $Verbosity);
 
     # In case -Minimum isn't set, implied -OperatorAnd
     if ($Minimum -eq -1) {

doc/plugins/25-Invoke-IcingaCheckHTTPStatus.md

@@ -12,7 +12,8 @@ function Get-IcingaCheckHTTPQuery()
         [string]$ProxyServer         = '',
         [array]$Content              = @(),
         [array]$StatusCode           = @(),
-        [switch]$ConnectionErrAsCrit = $FALSE
+        [switch]$ConnectionErrAsCrit = $FALSE,
+        [switch]$IgnoreSSL           = $FALSE
     );
 
     if ($Url.count -eq 0) {
@@ -72,8 +73,11 @@ function Get-IcingaCheckHTTPQuery()
             ) -Force;
         }
 
-        # Receive information
+        if ($IgnoreSSL) {
+            Enable-IcingaUntrustedCertificateValidation -SuppressMessages;
+        }
 
+        # Receive information
         Start-IcingaTimer -Name 'HTTPRequest';
         try {
             $HTTPInformation = (Invoke-WebRequest @InvokeArguments);
@@ -90,6 +94,10 @@ function Get-IcingaCheckHTTPQuery()
         }
         Stop-IcingaTimer -Name 'HTTPRequest';
 
+        if ($IgnoreSSL) {
+            Disable-IcingaUntrustedCertificateValidation -SuppressMessages;
+        }
+
         [hashtable]$HTTPData = @{ };
 
         if (-Not [string]::IsNullOrEmpty($HTTPInformation.Content)) {

plugins/Invoke-IcingaCheckHTTPStatus.psm1

@@ -35,11 +35,15 @@ function Global:Get-IcingaHttpResponse()
     Set-IcingaTLSVersion;
 
     if ($IgnoreSSL) {
-        Enable-IcingaUntrustedCertificateValidation;
+        Enable-IcingaUntrustedCertificateValidation -SuppressMessages;
     }
 
     $response = Invoke-RestMethod -Uri $URI -Method Get -Headers $authHeader -TimeoutSec $Timeout;
 
+    if ($IgnoreSSL) {
+        Disable-IcingaUntrustedCertificateValidation -SuppressMessages;
+    }
+
     Write-IcingaDebugMessage -Message 'Response: {0}' -Objects $response;
 
     return $response;