Closed jazzl0ver closed 2 years ago
Run it with -vvv
and post the results here... chances are OpenSSL is passing it as ok, and if not we'll see it there.
There is also an anonymize.py
in my DevOps Python Tools repo that you can run the output through to remove FQDNs etc.
Let me start with -vv. If you indeed need -vvv, please, let me know how to send that info to you directly.
# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H uat.domain.com -S baddomain.com -P 443 -w 28 -c 14 -vv
verbose mode on
host: uat.domain.com
port: 443
SNI hostname: baddomain.com
warning lower: 28
critical lower: 14
setting timeout to 10 secs
Found CApath from openssl binary as: /etc/pki/tls
* checking validity of cert (chain of trust)
Verify return code: 0 (ok)
* checking domain and expiry on cert
Domain: *.domain.net
Certificate Expires: Dec 29 13:31:36 2021 GMT
* checking expected domain name on cert
checking thresholds
OK: 83 days remaining for '*.domain.net'. Certificate Expires: 'Dec 29 13:31:36 2021 GMT' (w=28/c=14)
you may check by yourself:
/usr/lib64/nagios/plugins/check_ssl_cert.pl -H uat.86b orders.com -S baddomain.com -P 443 -w 28 -c 14 -vvv
(just remove the space between b and o)
I got
CRITICAL: Certificate validation failed, returned 10 (certificate has expired)
That's weird.
check_ssl_cert.pl version 0.10.1 => Hari Sekhon Utils version 1.19.6
Check this out:
# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H google.com -S baddomain.com -P 443 -w 28 -c 14 -vv
verbose mode on
host: google.com
port: 443
SNI hostname: baddomain.com
warning lower: 28
critical lower: 14
setting timeout to 10 secs
Found CApath from openssl binary as: /etc/pki/tls
* checking validity of cert (chain of trust)
Verify return code: 0 (ok)
* checking domain and expiry on cert
Domain: *.google.com
Certificate Expires: Nov 20 01:37:28 2021 GMT
* checking expected domain name on cert
checking thresholds
OK: 42 days remaining for '*.google.com'. Certificate Expires: 'Nov 20 01:37:28 2021 GMT' (w=28/c=14)
Iirc SNI is a hint to the other side which cert to return.
If the other side doesn't have a matching cert and returns its default one, then this would explain what you are seeing.
I think what you're looking for it to check that the cert returned supports the given domain, which is done with the --domain
switch or the --subject-alternative-names
for certs that support multiple names you want to check:
check_ssl_cert.pl -H google.com -S baddomain.com -w 28 --domain baddomain.com
CRITICAL: domain '*.google.com' did not match expected domain 'baddomain.com'!
got it. but how to deal with this case?
# sudo -u nagios /usr/lib64/nagios/plugins/check_ssl_cert.pl -H google.com -d google.com -S google.com -P 443 -w 28 -c 14
CRITICAL: domain '*.google.com' did not match expected domain 'google.com'!
It's not very convenient to change the domain parameter manually for every nagios check. Currently the check looks like:
define command{
command_name check_ssl_cert
command_line $USER1$/check_ssl_cert.pl -H $HOSTALIAS$ -P $ARG1$ -S $HOSTALIAS$ -d $HOSTALIAS$
}
In the google case the check would look like:
check_ssl_cert.pl -H google.com -S google.com -w 28 -d '*.google.com'
You'd probably just need a check_ssl_cert_wildcard
nagios definition to use in that case with -d *.$HOSTALIAS$
That will work. Thank you!
I guess the check must fail in this case.