matteocorti
commented
5 years ago Your chain of trust is incomplete: check https://www.ssllabs.com/ssltest/analyze.html?d=lrccaw.jaguar.com.cn&latest
Closed Lmuyue closed 5 years ago
matteocorti
commented
5 years ago Your chain of trust is incomplete: check https://www.ssllabs.com/ssltest/analyze.html?d=lrccaw.jaguar.com.cn&latest
Hello,
I attempted to use plugin check_ssl_cert to check the certificate of lrccaw.jaguar.com.cn, which certificate was updated by customer recently. But I got below errors:
[DBG] ROOT_CA = [DBG] cURL binary needed. SSL Labs = , OCSP = 1 [DBG] cURL binary not specified [DBG] cURL available: /usr/bin/curl expect not available timeout available (/usr/bin/timeout) [DBG] perl available: /usr/bin/perl [DBG] date available: /bin/date found GNU date with timestamp support: enabling date computations [DBG] check_ssl_cert version: 1.85.0 [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013 [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 153 root certificates installed by default [DBG] System info: Linux cnprodmon007 2.6.32-696.3.2.el6.x86_64 #1 SMP Wed Jun 7 11:51:39 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername lrccaw.jaguar.com.cn '/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute [DBG] temporary file /tmp/check_ssl_cert8XWK6R created [DBG] temporary file /tmp/check_ssl_certF0WPiX created [DBG] temporary file /tmp/check_ssl_certPqXy1H created [DBG] temporary file /tmp/check_ssl_certxcKiqj created downloading certificate to /tmp [DBG] lrccaw.jaguar.com.cn is not an IP address [DBG] executing with timeout (15s): echo 'HEAD / HTTP/1.1\nHost: lrccaw.jaguar.com.cn\nUser-Agent: check_ssl_cert/1.85.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_eof - connect lrccaw.jaguar.com.cn:443 -servername lrccaw.jaguar.com.cn -showcerts -verify 6 2> /tmp/check_ssl_certF0WPiX 1> /tmp/check_ssl_cert8XWK6R[DBG] /usr/bin/timeout 15 /bin/sh -c "echo 'HEAD / HTTP/1.1\nHost: lrccaw.jaguar.com.cn\nUser-Agent: check_ssl_cert/1.85.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_e of -connect lrccaw.jaguar.com.cn:443 -servername lrccaw.jaguar.com.cn -showcerts -verify 6 2> /tmp/check_ssl_certF0WPiX 1> /tmp/check_ssl_cert8XWK6R"[DBG] storing a copy of the retrieved certificate in lrccaw.jaguar.com.cn.crt [DBG] storing a copy of the OpenSSL errors in lrccaw.jaguar.com.cn.error parsing the x509 certificate file [DBG] subject= C = GB, ST = West Midlands, L = Coventry, O = Jaguar Cars limited, CN = lrccaw.jaguar.com.cn [DBG] CN = lrccaw.jaguar.com.cn [DBG] CA = GlobalSign RSA OV SSL CA 2018 [DBG] SERIAL = 518FE95098C91717DA5D3341 [DBG] FINGERPRINT= A6:4A:EA:B3:CA:55:49:AB:08:BD:A1:C7:1B:7D:F4:0D:39:06:61:9B [DBG] OCSP_URI = http://ocsp.globalsign.com/gsrsaovsslca2018 [DBG] ISSUER_URI = http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt [DBG] Signature Algorithm: sha256WithRSAEncryption [DBG] Date computations: GNU The certificate will expire in 710 day(s) [DBG] subjectAlternativeName = lrccaw.jaguar.com.cn [DBG] Checking expiration date [DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_cert8XWK6R -noout -checkend 604800 [DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_cert8XWK6R -noout -checkend 2592000 [DBG] Checking revokation via OCSP [DBG] OCSP: fetching issuer certificate http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt to /tmp/check_ssl_certPqXy1H [DBG] executing with timeout (15s): /usr/bin/curl --silent --location http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt > /tmp/check_ssl_certPqXy1H [DBG] /usr/bin/timeout 15 /bin/sh -c "/usr/bin/curl --silent --location http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt > /tmp/check_ssl_certPqXy1H" [DBG] OCSP: issuer certificate type: data [DBG] OCSP: converting issuer certificate from DER to PEM [DBG] OCSP: storing a copy of the retrieved issuer certificate to gsrsaovsslca2018.crt [DBG] OCSP: host = ocsp.globalsign.com [DBG] openssl ocsp supports the -header option [DBG] openssl ocsp -header requires 'key value' [DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_certPqXy1H -cert /tmp/check_ssl_cert8XWK6R -url http://ocsp.globalsign.com/gsrsaovsslca2018 -header HOST ocsp.globalsi gn.com[DBG] OCSP: response = Response Verify Failure [DBG] OCSP: response = 140061391054664:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate [DBG] OCSP: response = /tmp/check_ssl_cert8XWK6R: good [DBG] OCSP: response = This Update: Jul 15 08:36:58 2019 GMT [DBG] OCSP: response = Next Update: Jul 19 08:36:58 2019 GMT [DBG] Error: verify depth is 6 [DBG] Error: depth=0 C = GB, ST = West Midlands, L = Coventry, O = Jaguar Cars limited, CN = lrccaw.jaguar.com.cn [DBG] Error: verify error:num=20:unable to get local issuer certificate [DBG] Error: verify return:1 [DBG] Error: depth=0 C = GB, ST = West Midlands, L = Coventry, O = Jaguar Cars limited, CN = lrccaw.jaguar.com.cn [DBG] Error: verify error:num=27:certificate not trusted [DBG] Error: verify return:1 [DBG] Error: depth=0 C = GB, ST = West Midlands, L = Coventry, O = Jaguar Cars limited, CN = lrccaw.jaguar.com.cn [DBG] Error: verify error:num=21:unable to verify the first certificate [DBG] Error: verify return:1 [DBG] cleaning up temporary files [DBG] /tmp/check_ssl_cert8XWK6R [DBG] /tmp/check_ssl_certF0WPiX [DBG] /tmp/check_ssl_certPqXy1H [DBG] /tmp/check_ssl_certxcKiqj SSL_CERT CRITICAL lrccaw.jaguar.com.cn: Cannot verify certificate: unable to get local issuer certificate, certificate not trusted, unable to verify the first certificate|days=710;30;7;;
######################################################################## But it works when checking lrccaw.landrover.com.cn, compared with previous one, they are issued by different CAs. All the other working checks are issued by GlobalSign Organization Validation CA - SHA256 - G2.
I also went through other articles, but still have no idea to fix the issue. It would be much appreciated if someone can help on this.
Below check is ok:
[DBG] ROOT_CA = [DBG] cURL binary needed. SSL Labs = , OCSP = 1 [DBG] cURL binary not specified [DBG] cURL available: /usr/bin/curl expect not available timeout available (/usr/bin/timeout) [DBG] perl available: /usr/bin/perl [DBG] date available: /bin/date found GNU date with timestamp support: enabling date computations [DBG] check_ssl_cert version: 1.85.0 [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013 [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 153 root certificates installed by default [DBG] System info: Linux cnprodmon007 2.6.32-696.3.2.el6.x86_64 #1 SMP Wed Jun 7 11:51:39 EDT 2017 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername lrccaw.landrover.com.cn '/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute [DBG] temporary file /tmp/check_ssl_cert76in2a created [DBG] temporary file /tmp/check_ssl_certn7IpMo created [DBG] temporary file /tmp/check_ssl_certWxC7IL created [DBG] temporary file /tmp/check_ssl_cert4aZHIC created downloading certificate to /tmp [DBG] lrccaw.landrover.com.cn is not an IP address [DBG] executing with timeout (15s): echo 'HEAD / HTTP/1.1\nHost: lrccaw.landrover.com.cn\nUser-Agent: check_ssl_cert/1.85.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_eo f -connect lrccaw.landrover.com.cn:443 -servername lrccaw.landrover.com.cn -showcerts -verify 6 2> /tmp/check_ssl_certn7IpMo 1> /tmp/check_ssl_cert76in2a[DBG] /usr/bin/timeout 15 /bin/sh -c "echo 'HEAD / HTTP/1.1\nHost: lrccaw.landrover.com.cn\nUser-Agent: check_ssl_cert/1.85.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ig n_eof -connect lrccaw.landrover.com.cn:443 -servername lrccaw.landrover.com.cn -showcerts -verify 6 2> /tmp/check_ssl_certn7IpMo 1> /tmp/check_ssl_cert76in2a"[DBG] storing a copy of the retrieved certificate in lrccaw.landrover.com.cn.crt [DBG] storing a copy of the OpenSSL errors in lrccaw.landrover.com.cn.error parsing the x509 certificate file [DBG] subject= C = GB, ST = West Midlands, L = Coventry, O = Jaguar Land Rover Limited, CN = lrccaw.landrover.com.cn [DBG] CN = lrccaw.landrover.com.cn [DBG] CA = GlobalSign Organization Validation CA - SHA256 - G2 [DBG] CA = GlobalSign Root CA [DBG] SERIAL = 2FF9FD20D352B95DFA1C18BF [DBG] FINGERPRINT= B4:F7:DD:B0:7A:75:4A:FF:15:4B:70:71:48:54:25:0D:9D:4A:C5:71 [DBG] OCSP_URI = http://ocsp2.globalsign.com/gsorganizationvalsha2g2 [DBG] ISSUER_URI = http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt [DBG] Signature Algorithm: sha256WithRSAEncryption [DBG] Date computations: GNU The certificate will expire in 74 day(s) [DBG] subjectAlternativeName = lrccaw.landrover.com.cn [DBG] Checking expiration date [DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_cert76in2a -noout -checkend 604800 [DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_cert76in2a -noout -checkend 2592000 [DBG] Checking revokation via OCSP [DBG] OCSP: fetching issuer certificate http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt to /tmp/check_ssl_certWxC7IL [DBG] executing with timeout (15s): /usr/bin/curl --silent --location http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt > /tmp/check_ssl_certWxC7IL [DBG] /usr/bin/timeout 15 /bin/sh -c "/usr/bin/curl --silent --location http://secure.globalsign.com/cacert/gsorganizationvalsha2g2r1.crt > /tmp/check_ssl_certWxC7IL" [DBG] OCSP: issuer certificate type: data [DBG] OCSP: converting issuer certificate from DER to PEM [DBG] OCSP: storing a copy of the retrieved issuer certificate to gsorganizationvalsha2g2r1.crt [DBG] OCSP: host = ocsp2.globalsign.com [DBG] openssl ocsp supports the -header option [DBG] openssl ocsp -header requires 'key value' [DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_certWxC7IL -cert /tmp/check_ssl_cert76in2a -url http://ocsp2.globalsign.com/gsorganizationvalsha2g2 -header HOST ocsp2 .globalsign.com[DBG] OCSP: response = Response Verify Failure [DBG] OCSP: response = 139775977330504:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:126:Verify error:unable to get local issuer certificate [DBG] OCSP: response = /tmp/check_ssl_cert76in2a: good [DBG] OCSP: response = This Update: Jul 15 11:18:13 2019 GMT [DBG] OCSP: response = Next Update: Jul 19 11:18:13 2019 GMT SSL_CERT OK - x509 certificate 'lrccaw.landrover.com.cn' from 'GlobalSign Organization Validation CA - SHA256 - G2' valid until Sep 28 09:31:05 2019 GMT (expires in 74 days)|days=74;30;7;; [DBG] cleaning up temporary files [DBG] /tmp/check_ssl_cert76in2a [DBG] /tmp/check_ssl_certn7IpMo [DBG] /tmp/check_ssl_certWxC7IL [DBG] /tmp/check_ssl_cert4aZHIC