search

HariSekhon / Nagios-Plugins

450+ AWS, Hadoop, Cloud, Kafka, Docker, Elasticsearch, RabbitMQ, Redis, HBase, Solr, Cassandra, ZooKeeper, HDFS, Yarn, Hive, Presto, Drill, Impala, Consul, Spark, Jenkins, Travis CI, Git, MySQL, Linux, DNS, Whois, SSL Certs, Yum Security Updates, Kubernetes, Cloudera etc...
https://www.linkedin.com/in/HariSekhon
Other
1.13k stars 502 forks source link

chain of trust validity fails but the check passes #376

Closed jazzl0ver closed 2 years ago

jazzl0ver commented 2 years ago

Hi,

Why does the final cert verification passes while one of the chain certificates is expired?

# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H localhost -P 4433 -d \*.domain.com -w 30 -c 1 -vv -C .
verbose mode on

host:                     localhost
port:                     4433
CA path  directory:       .
warning  lower:           30
critical lower:           1
domain:                   domain.com

setting timeout to 10 secs

CA path  directory:       .

* checking validity of cert (chain of trust)
Verify return code: 10 (certificate has expired)

* checking domain and expiry on cert
Domain: *.domain.com
Certificate Expires: Nov  9 07:34:23 2021 GMT

* checking expected domain name on cert

checking thresholds
OK: 33 days remaining for '*.domain.com'. Certificate Expires: 'Nov  9 07:34:23 2021 GMT' (w=30/c=1)
HariSekhon commented 2 years ago

Good question, looking at the code there was an exemption for this specific case, but it looks like it's not handled later as per the comment, so I've removed the exemption, please git pull and try again and it should give you a critical result in that case.

jazzl0ver commented 2 years ago

Awesome! Works perfectly now!

# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H localhost -P 4433 -d \*.domain.com -w 30 -c 1 -C .
CRITICAL: Certificate validation failed, returned 10 (certificate has expired)

Thank you very much!