Getting response 403 Your not allowed from NSClient++ running on Windows over the REST API but curl ok

https://community.icinga.com/t/getting-response-403-your-not-allowed-from-nsclient-running-on-windows-over-the-rest-api/4005

$ /usr/lib/centreon/plugins/centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='192.168.1.161' --port='8443' --proto='https' --legacy-password='centreon' --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all
UNKNOWN: 403 Forbidden

Alors que le curl fonctionne

curl -k -u centreon:centreon https://192.168.1.161:8443/api/v1/scripts/ext?all=true

socat TCP-LISTEN:8080,fork OPENSSL:10.12.50.161:8443,verify=0

Voir openssl_creer_un_certificat_autosigne_create_a_self-signed_ssl_certificate

FQDN=localhost
 
#openssl genrsa -out plop.key 2048
#openssl req -new -key plop.key -x509  -subj '/CN=localhost'  -out plop.cert
#cat plop.key plop.cert > plop.pem
 
# Ou 
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout plop.key -out plop.crt

curl -k -u centreon:centreon https://127.0.0.1:1443/api/v1/scripts/ext?all=true

[root@centreon-central ~]# PORT=1443 FQDN=localhost
[root@centreon-central ~]# socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork TCP4:localhost:8080
> 2025/04/04 12:27:38.353691  length=146 from=0 to=145
GET /api/v1/scripts/ext?all=true HTTP/1.1
Host: 127.0.0.1:1443
Authorization: Basic Y2VudHJlb246Y2VudHJlb24=
User-Agent: curl/7.61.1
Accept: */*

< 2025/04/04 12:27:38.378346  length=1681 from=0 to=1680
HTTP/1.1 200\r\r
Content-Length: 1544\r\r
Set-cookie: token=yapnxrpMCARCr4zdGc81tBDKsMlaZTXC; path=/\r\r
Set-cookie: uid=centreon; path=/\r\r
\r\r

/usr/lib/centreon/plugins/centreon_nsclient_restapi.pl --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='127.0.0.1' --port='1443' --proto='https' --legacy-password='centreon' --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all
UNKNOWN: 403 Forbidden

[root@centreon-central ~]# socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork TCP4:localhost:8080
> 2025/04/04 12:34:59.797373  length=315 from=0 to=314
GET /query/check_cpu?warning%3Dtime%20%3D%20%275m%27%20and%20load%20%3E%2080&critical%3Dtime%20%3D%20%275m%27%20and%20load%20%3E%2090&show-all HTTP/1.1
TE: deflate,gzip;q=0.3
Keep-Alive: 300
Connection: Keep-Alive, TE
Host: 127.0.0.1:1443
User-Agent: centreon::plugins::backend::http::useragent
Password: centreon

< 2025/04/04 12:34:59.804956  length=59 from=0 to=58
HTTP/1.1 403\r\r
Content-Length: 20\r\r
\r\r
403 Your not allowed

Ajouter les arguments ci-dessous pour l'authentification “basic”

• --basic
• --credentials
• --username=centreon
• --password=centreon

/usr/lib/centreon/plugins/centreon_plugins --plugin=apps::nsclient::restapi::plugin --mode=query --hostname='192.168.1.161' --port='8443' --proto='https' --basic --credentials --username=centreon --password=centreon --insecure --command=check_cpu --arg="warning=time = '5m' and load > 80" --arg="critical=time = '5m' and load > 90" --arg=show-all

Pour test

socat -v -ls OPENSSL-LISTEN:${PORT},reuseaddr,cert=${FQDN}.pem,verify=0,crlf,fork SYSTEM:"echo HTTP/1.0 200; echo Content-Type\: text/plain; echo; echo \"hello from $(hostname) at \$(date)\""