When setting up monitoring for HTTPS services with Icinga 2, there are several critical components to consider:

SSL certificate validation
Connection timeout thresholds
Proper HTTP status code checks
Content verification



Here's an improved version of your configuration that properly handles HTTPS monitoring:

object Host "secure-webserver-01" {
    import "generic-host"
    address = "74.125.136.17"
    vars.os = "Linux"
    vars.http_vhosts["https"] = {
        http_uri = "/"
        http_sni = true
        http_ssl = true
        http_certificate = 30
    }
    vars.notification["mail"] = {
        groups = [ "icingaadmins" ]
    }
}

The service check requires more granular control for production environments:
apply Service "https-check" for (config in host.vars.http_vhosts) {
    import "generic-service"
    check_command = "http"
    
    vars += config
    
    vars.http_timeout = 10
    vars.http_onredirect = sticky
    vars.http_expect = "200"
    
    assign where host.vars.http_vhosts
}

To test your configuration before applying it to production:
# Test the check manually
icingacli monitoring list services --service="https-check" --verbose

# Check the last check result
icingacli monitoring show service --service="secure-webserver-01!https-check"

Common problems and their solutions:
# If you get SSL verification errors:
vars.http_ssl = "1"
vars.http_ssl_noverify = "1"  # Temporary for testing

# For SNI-enabled hosts:
vars.http_sni = true

# When monitoring returns OK but you're not sure:
vars.http_expect_body = "Gmail"

For large-scale implementations:

Set appropriate check intervals (check_interval = 5m)
Enable passive checks for critical services
Configure event handlers for automatic recovery



When monitoring HTTPS services in Icinga 2, simply checking port 443 isn't sufficient for proper SSL/TLS verification. Your current configuration has several missing components that affect security validation.
Here's the improved host configuration for proper HTTPS monitoring:
object Host "mailserver-01" {
    import "generic-host"
    address = "74.125.136.17"
    vars.os = "Linux"
    vars.http_vhosts["https"] = {
        http_uri = "/"
        http_ssl = true
        http_sni = true
        http_certificate = 30
    }
    vars.notification["mail"] = {
        groups = [ "icingaadmins" ]
    }
}
The service definition needs these critical enhancements:
apply Service "https" {
    import "generic-service"
    check_command = "http"
    vars.http_vhost = "mail.google.com"
    vars.http_ssl = true
    vars.http_sni = true
    vars.http_certificate = 30
    assign where host.name == "mailserver-01"
}
1. http_ssl: Enables SSL/TLS verification

2. http_sni: Server Name Indication for proper host verification

3. http_certificate: Days before expiration to trigger warning (30 in this case)
For comprehensive certificate checking, consider implementing these additional parameters:
vars.http_critical_time = 10
vars.http_timeout = 30
vars.http_string = "Gmail"
vars.http_ssl_queryscheme = "https"
vars.http_ssl_verify = true
Here's how to monitor multiple HTTPS services with different requirements:
object Host "webcluster" {
    import "generic-host"
    address = "192.0.2.1"
    vars.http_vhosts["secure-app"] = {
        http_uri = "/api/health"
        http_ssl = true
        http_expect = "200"
    }
    vars.http_vhosts["public-site"] = {
        http_uri = "/"
        http_ssl = true
        http_certificate = 15
    }
}

apply Service "https-${http_vhost}" for (vhost => config in host.vars.http_vhosts) {
    import "generic-service"
    check_command = "http"
    vars += config
}
If you encounter validation problems:

Verify Icinga has proper CA certificates installed
Check time synchronization between servers
Test connectivity using openssl manually first