Closed matteocorti closed 3 years ago
Seems to be a problem only with localhost and `--file
:
The check works (failure) with a remote connection:
$ ./check_ssl_cert -H corti.li --cn uuu --issuer aaa
SSL_CERT CRITICAL corti.li: invalid CN ('corti.li' does not match 'uuu')|days_chain_elem1=53;20;15;; days_chain_elem2=1488;20;15;; days_chain_elem3=1138;20;15;;
Error(s):
SSL_CERT CRITICAL corti.li: invalid CA ('aaa' does not match 'Let's Encrypt' or 'R3' or 'Internet Security Research Group' or 'ISRG Root X1' or 'Digital Signature Trust Co.' or 'DST Root CA X3')
SSL_CERT CRITICAL corti.li: invalid CN ('corti.li' does not match 'uuu')
But fails (OK) with a local certificate
$ ./check_ssl_cert -H localhost --cn uuu --issuer 'QuoVadis Trustlink B.V.' -f /etc/pki/tls/certs/matteo.ethz.ch.crt
SSL_CERT OK - x509 certificate 'matteo.ethz.ch' from 'QuoVadis Europe SSL CA G2' valid until Jul 19 07:51:00 2022 GMT (expires in 333 days)|days_chain_elem1=333;20;15;; days_chain_elem2=3257;20;15;; days_chain_elem3=7451;20;15;;
The problem seems to be related to -f
which deletes the COMMON_NAME
variable.
As a quick workaround you can specify --cn
after -f
thanks
Current 2.4.0 release doesn't check --cn against the certificate but returns OK all the time - is this intendet?
_Originally posted by @c0deright in https://github.com/matteocorti/check_ssl_cert/issues/267#issuecomment-901823500_