check_ssl_cert
check_ssl_cert copied to clipboard
Severe performance regression after 2.2.0 (debian bullseye -> bookworm)
Describe the bug
Seeing high CPU usage and load on icinga2 master after upgrade to bookworm:
- 100% vs 20% CPU usage on two (virtual) cores
- Load about 130 vs less than 3 before
- Lots of check_ssl_cert checks time out
Bookworm should have version 2.60.0 of check_ssl_cert, but same issue with 2.70.
Using the old 2.2.0 script (with a small patch for the new "-m|--match" option) fixes the issue.
To Reproduce
- icinga master on two cores of
AMD EPYC 7313P
- 4GB memory (2GB swap) - not an issue, swap is completely free, almost 3GB "avail Mem" in top.
- about 300 SSL checks: mostly Active Directory Domain Controllers: IPv4+IPv6 (if present), LDAP + LDAPS, normal port + global catalog - quite a few variations for each host.
Expected behavior
Less CPU usage, no timeouts, ...
System (please complete the following information):
- OS: Debian
- OS version: bookworm (12)
- check_ssl_cert version: 2.60.0 and 2.70.0
- OpenSSL version (
openssl version
):OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
Additional context/output
Invocations look like this:
/usr/lib/nagios/plugins/check_ssl_cert --no-ssl3 --no-tls1 --no-tls1_1 -H $IPADDRESS -P ldap -c 14 -m $SERVERNAME -p 3268 -r /etc/ssl/trusted-cas.crt -w 30
Manual calls usually work, but are slower than before.