Current 2.4.0 release doesn't check --cn against the certificate but returns OK all the time - is this intendet?

[matteocorti]

Current 2.4.0 release doesn't check --cn against the certificate but returns OK all the time - is this intendet?

check_ssl_cert -H localhost -w 30 -c 14 --issuer "Let's Encrypt" --cn 'some random string not in the CN field' -f /etc/ssl/custom-cert/sub.mydomain.crt 
SSL_CERT OK - x509 certificate 'sub.mydomain' from 'R3' valid until Nov 17 06:34:15 2021 GMT (expires in 89 days)|days_chain_elem1=89;30;14;;

_Originally posted by @c0deright in https://github.com/matteocorti/check_ssl_cert/issues/267#issuecomment-901823500_

[matteocorti]

Seems to be a problem only with localhost and `--file:

The check works (failure) with a remote connection:

$ ./check_ssl_cert -H corti.li --cn uuu --issuer aaa
SSL_CERT CRITICAL corti.li: invalid CN ('corti.li' does not match 'uuu')|days_chain_elem1=53;20;15;; days_chain_elem2=1488;20;15;; days_chain_elem3=1138;20;15;;
Error(s):
    SSL_CERT CRITICAL corti.li: invalid CA ('aaa' does not match 'Let's Encrypt' or 'R3' or 'Internet Security Research Group' or 'ISRG Root X1' or 'Digital Signature Trust Co.' or 'DST Root CA X3')
    SSL_CERT CRITICAL corti.li: invalid CN ('corti.li' does not match 'uuu')

But fails (OK) with a local certificate

$ ./check_ssl_cert -H localhost --cn uuu --issuer 'QuoVadis Trustlink B.V.' -f /etc/pki/tls/certs/matteo.ethz.ch.crt
SSL_CERT OK - x509 certificate 'matteo.ethz.ch' from 'QuoVadis Europe SSL CA G2' valid until Jul 19 07:51:00 2022 GMT (expires in 333 days)|days_chain_elem1=333;20;15;; days_chain_elem2=3257;20;15;; days_chain_elem3=7451;20;15;;

[matteocorti]

The problem seems to be related to -f which deletes the COMMON_NAME variable.

[matteocorti]

As a quick workaround you can specify --cn after -f

[c0deright]

thanks