sni substitution does not work as expected

[jazzl0ver]

# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H uat.domain.com -S baddomain.com -P 443 -w 28 -c 14
OK: 83 days remaining for '*.domain.net'. Certificate Expires: 'Dec 29 13:31:36 2021 GMT'

I guess the check must fail in this case.

[HariSekhon]

Run it with -vvv and post the results here... chances are OpenSSL is passing it as ok, and if not we'll see it there.

There is also an anonymize.py in my DevOps Python Tools repo that you can run the output through to remove FQDNs etc.

[jazzl0ver]

Let me start with -vv. If you indeed need -vvv, please, let me know how to send that info to you directly.

# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H uat.domain.com -S baddomain.com -P 443 -w 28 -c 14 -vv
verbose mode on

host:                     uat.domain.com
port:                     443
SNI hostname:             baddomain.com
warning  lower:           28
critical lower:           14

setting timeout to 10 secs

Found CApath from openssl binary as: /etc/pki/tls

* checking validity of cert (chain of trust)
Verify return code: 0 (ok)

* checking domain and expiry on cert
Domain: *.domain.net
Certificate Expires: Dec 29 13:31:36 2021 GMT

* checking expected domain name on cert

checking thresholds
OK: 83 days remaining for '*.domain.net'. Certificate Expires: 'Dec 29 13:31:36 2021 GMT' (w=28/c=14)

[jazzl0ver]

you may check by yourself:

/usr/lib64/nagios/plugins/check_ssl_cert.pl -H uat.86b orders.com -S baddomain.com -P 443 -w 28 -c 14 -vvv

(just remove the space between b and o)

[HariSekhon]

I got

CRITICAL: Certificate validation failed, returned 10 (certificate has expired)

[jazzl0ver]

That's weird.

check_ssl_cert.pl version 0.10.1  =>  Hari Sekhon Utils version 1.19.6

[jazzl0ver]

Check this out:

# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H google.com -S baddomain.com -P 443 -w 28 -c 14 -vv
verbose mode on

host:                     google.com
port:                     443
SNI hostname:             baddomain.com
warning  lower:           28
critical lower:           14

setting timeout to 10 secs

Found CApath from openssl binary as: /etc/pki/tls

* checking validity of cert (chain of trust)
Verify return code: 0 (ok)

* checking domain and expiry on cert
Domain: *.google.com
Certificate Expires: Nov 20 01:37:28 2021 GMT

* checking expected domain name on cert

checking thresholds
OK: 42 days remaining for '*.google.com'. Certificate Expires: 'Nov 20 01:37:28 2021 GMT' (w=28/c=14)

[HariSekhon]

Iirc SNI is a hint to the other side which cert to return.

If the other side doesn't have a matching cert and returns its default one, then this would explain what you are seeing.

I think what you're looking for it to check that the cert returned supports the given domain, which is done with the --domain switch or the --subject-alternative-names for certs that support multiple names you want to check:

check_ssl_cert.pl -H google.com -S baddomain.com -w 28 --domain baddomain.com
CRITICAL: domain '*.google.com' did not match expected domain 'baddomain.com'! 

[jazzl0ver]

got it. but how to deal with this case?

# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H google.com -d google.com -S google.com -P 443 -w 28 -c 14
CRITICAL: domain '*.google.com' did not match expected domain 'google.com'!

It's not very convenient to change the domain parameter manually for every nagios check. Currently the check looks like:

define command{
        command_name                    check_ssl_cert
        command_line                    $USER1$/check_ssl_cert.pl -H $HOSTALIAS$ -P $ARG1$ -S $HOSTALIAS$ -d $HOSTALIAS$
}

[HariSekhon]

In the google case the check would look like:

check_ssl_cert.pl -H google.com -S google.com -w 28 -d '*.google.com'

You'd probably just need a check_ssl_cert_wildcard nagios definition to use in that case with -d *.$HOSTALIAS$

[jazzl0ver]

That will work. Thank you!