search

Matty9191 / ssl-cert-check

Send notifications when SSL certificates are about to expire.
GNU General Public License v2.0
719 stars 285 forks source link

validing certs without hostname #88

Open cablebender opened 4 years ago

cablebender commented 4 years ago

Hi, my mailserver exim logs "SSL verify error: certificate name mismatch", but your script send me a valid-state. Is it possible that you not check the cert-DN with the hostname? kindly regards

kbabioch commented 4 years ago

This is a very bad bug report. How do you expect someone to help you with so little information? Can you provide the certificate(s) and the exact command line that you're invoking?

I'm not an exim expert, but this log message could mean many things. Is it related to the certificate you're trying to monitor with ssl-cert-check?

cablebender commented 4 years ago

Hi, my script-version is 4.14 I have tested with the arguments "-s mx1.bund.de -p 25" and the answer was "mx1.bund.de:25 Valid Oct 9, 2020 106". But when i tested with https://www.checktls.com/TestReceiver the cert is not valid because its self signed. I have also tested with the arguments "-s mx01.schlund.de -p 25" and your scripts answers the cert is valid, but my log and checktls.com also says the cert is not valid because the hostname in the cert is not the servername. Try it yourself! :-)

kbabioch commented 4 years ago

This script / project is about checking the expiry date of certificates, not about validating the certificate chain(s).

Except from the README:

SSL Certification Expiration Checker:

ssl-cert-check is a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.

The status column indicates whether the certificate is expiring or not. By default it will warn you, when there are only 30 days left or less:

./ssl-cert-check -s mx1.bund.de -p 25   

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
mx1.bund.de:25                                  Valid        Oct  9, 2020  105

This means that the certificate will expire in 105 days, as such the certificate is Valid. Invoking it with -x 200 will result in the status changing to Expiring.

./ssl-cert-check -s mx1.bund.de -p 25 -x 200

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
mx1.bund.de:25                                  Expiring     Oct  9, 2020  105

If it is already expired, it will output Expired.

If you want to verify the validity / trust chain(s) of certificate, you can use openssl verify, etc.

dairiki commented 2 years ago

Perhaps view this as a feature request, rather than a bug report.

I, for one, think it would be good if ssl-cert-check verified that the server hostname matches the Subject Alternative Name in the server's certificate. People use ssl-cert-check to ensure that certificates are being properly renewed. Having the correct server name in the certificate is a crucial part of being "properly renewed".

PR #92 purports to do this, though I haven't looked at it enough to know if that's the correct solution.