checkcert_* do not verify SANs???

ProgrammersOfVilnius / pov-check-health

Debian package that runs basic system health monitoring checks hourly from cron

https://launchpad.net/~pov/+archive/ppa

2 stars 0 forks source link

checkcert_* do not verify SANs??? #22

Open mgedmin opened 6 years ago

mgedmin commented 6 years ago

I had

checkcert_imaps mail.pov.lt
checkcert_ssmtp mail.pov.lt

pass when the SSL certs for mail.pov.lt listed only fridge.pov.lt (and a bunch of other SANs) but no mail.pov.lt.

I can reproduce:

checkcert mail.pov.lt

says OK, even though fridge.pov.lt does not serve a SAN for mail.pov.lt!

mgedmin commented 6 years ago

Note that the underlying tools from underlying monitoring-plugins do not support this, e.g. /usr/lib/nagios/plugins/check_http --help says:

Please note that this plugin does not check if the presented server certificate matches the hostname of the server, or if the certificate has a valid chain of trust to one of the locally installed CAs.

mgedmin commented 6 years ago

Consider ssl-cert-check as an alternative. It's packaged in Ubuntu.