search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
363 stars 133 forks source link

Getting SSL_CERT CRITICAL xfiles.roechling-automotive.com: OCSP error #320

Closed tsteuerer closed 2 years ago

tsteuerer commented 2 years ago

I get an OCSP error on all of our domains. So I did a check on some external domains and found e.g. that a check on heise.de works, but a check on www.heise.de throws an OCSP error as well. Heise is the most popular publisher of IT Magazines here in Germany, so I think their certificates are in order. I could disable OCSP check with --ignore-ocsp, then the checks succeed, but OCSP check is exactly what I need, because we ran into an issue with revoked certificates before.

To Reproduce

./check_ssl_cert -H xfiles.roechling-automotive.com
./check_ssl_cert -H www.heise.de

System

Output of ./check_ssl_cert -H xfiles.roechling-automotive.com -d 

[DBG] Command line arguments: -H xfiles.roechling-automotive.com -d
[DBG] SNI         =
[DBG] HOST_NAME   = xfiles.roechling-automotive.com
[DBG] HOST_ADDR   = xfiles.roechling-automotive.com
[DBG] COMMON_NAME = __HOST__
[DBG] COMMON_NAME = xfiles.roechling-automotive.com
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] ROOT_CA =
[DBG] file version: file-5.38
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] cURL binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=
[DBG] cURL binary not specified
[DBG] cURL available: /usr/bin/curl
[DBG] curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
[DBG] Release-Date: 2020-01-08
[DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
[DBG] nmap binary not needed. No disallowed protocols
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] check_ssl_cert version: 2.9.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 1.1.1f  31 Mar 2020
[DBG] built on: Mon Aug 23 17:02:39 2021 UTC
[DBG] platform: debian-amd64
[DBG] options:  bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-JWge0V/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
[DBG] Seeding source: os-specific
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 0 root certificates installed by default
[DBG]  System info: Linux derz-srv-netmgmt 5.4.0-88-generic #99-Ubuntu SMP Thu Sep 23 17:29:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername xfiles.roechling-automotive.com
[DBG] Proxy settings (before):
[DBG]   http_proxy  =
[DBG]   https_proxy =
[DBG]   HTTP_PROXY  =
[DBG]   HTTPS_PROXY =
[DBG] Proxy settings (after):
[DBG]   http_proxy  =
[DBG]   https_proxy =
[DBG]   HTTP_PROXY  =
[DBG]   HTTPS_PROXY =
[DBG]   s_client    =
[DBG]   cURL        =
[DBG] '/usr/bin/openssl s_client' supports '-name': using derz-srv-netmgmt
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost xfiles.roechling-automotive.com
[DBG] temporary file /tmp/WXSz5u created
[DBG] temporary file /tmp/BauvOc created
[DBG] temporary file /tmp/sBRGB9 created
[DBG] temporary file /tmp/qsF1dX created
[DBG] temporary file /tmp/Ybr157 created
[DBG] temporary file /tmp/ka9FVY created
[DBG] temporary file /tmp/6YZIqg created
[DBG] xfiles.roechling-automotive.com is not an IP address
[DBG] Adding -ign_eof to the options
[DBG] fetch_certificate: PROTICOL =
[DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1
[DBG] Host: xfiles.roechling-automotive.com
[DBG] User-Agent: check_ssl_cert/2.9.0
[DBG] Connection: close
[DBG]
[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect xfiles.roechling-automotive.com:443 -servername xfiles.roechling-automotive.com   -showcerts -verify 6       2> /tmp/BauvOc 1> /tmp/WXSz5u
[DBG]   start time = 1633423263
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1
[DBG] Host: xfiles.roechling-automotive.com
[DBG] User-Agent: check_ssl_cert/2.9.0
[DBG] Connection: close
[DBG]
[DBG] ' | /usr/bin/openssl s_client    -crlf -ign_eof  -connect xfiles.roechling-automotive.com:443 -servername xfiles.roechling-automotive.com   -showcerts -verify 6       2> /tmp/BauvOc 1> /tmp/WXSz5u"
[DBG]   end time = 1633423263
[DBG]   new timeout = 120
[DBG] Return value of the command = 0
[DBG] checking TLS renegotiation
[DBG] executing with timeout (120s): printf 'R
[DBG] ' | /usr/bin/openssl s_client  -crlf -connect xfiles.roechling-automotive.com:443 2>&1 | grep -F -q err
[DBG]   start time = 1633423263
[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'R
[DBG] ' | /usr/bin/openssl s_client  -crlf -connect xfiles.roechling-automotive.com:443 2>&1 | grep -F -q err"
[DBG]   end time = 1633423263
[DBG]   new timeout = 120
[DBG] extracting cert attribute enddate
[DBG] extracting cert attribute cn
[DBG] extracting cert attribute subject
[DBG] SUBJECT = subject=C = DE, postalCode = 68165, L = Mannheim, street = Richard-Wagner-Straße 9, O = Roechling SE & Co. KG, CN = xfiles.roechling-automotive.com
[DBG] extracting cert attribute serial
[DBG] SERIAL = 141129D2024926B3AC89A8D1459A9CD1
[DBG] extracting cert attribute fingerprint
[DBG] FINGEPRINT = 9D:BC:FD:75:65:52:F2:B8:90:2B:F6:48:80:FF:C2:C3:03:B8:52:FE
[DBG] extracting cert attribute oscp_uri_single
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP_URI = http://ocsp.sectigo.com
[DBG] Extracting issuers
[DBG]   Number of certificates in the chain: 3
[DBG]     extracting issuer for element 1
[DBG] extracting cert attribute issuer
[DBG]       ELEMENT_ISSUER=issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
[DBG]     extracting issuer for element 2
[DBG] extracting cert attribute issuer
[DBG]       ELEMENT_ISSUER=issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
[DBG]     extracting issuer for element 3
[DBG] extracting cert attribute issuer
[DBG]       ELEMENT_ISSUER=issuer=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
[DBG] ISSUERS =
[DBG] issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
[DBG] issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
[DBG] issuer=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
[DBG] ISSUERS =
[DBG] O = Sectigo Limited
[DBG] CN = Sectigo RSA Organization Validation Secure Server CA
[DBG] O = The USERTRUST Network
[DBG] CN = USERTrust RSA Certification Authority
[DBG] O = Comodo CA Limited
[DBG] CN = AAA Certificate Services
[DBG] extracting cert attribute issuer_uri_single
[DBG] extracting cert attribute issuer_uri
[DBG] extracting cert attribute sig_algo
[DBG] subject=C = DE, postalCode = 68165, L = Mannheim, street = Richard-Wagner-Straße 9, O = Roechling SE & Co. KG, CN = xfiles.roechling-automotive.com
[DBG] CN         = xfiles.roechling-automotive.com
[DBG] CA         = O = Sectigo Limited
[DBG] CA         = CN = Sectigo RSA Organization Validation Secure Server CA
[DBG] CA         = O = The USERTRUST Network
[DBG] CA         = CN = USERTrust RSA Certification Authority
[DBG] CA         = O = Comodo CA Limited
[DBG] CA         = CN = AAA Certificate Services
[DBG] SERIAL     = 141129D2024926B3AC89A8D1459A9CD1
[DBG] FINGERPRINT= 9D:BC:FD:75:65:52:F2:B8:90:2B:F6:48:80:FF:C2:C3:03:B8:52:FE
[DBG] OCSP_URI   = http://ocsp.sectigo.com
[DBG] ISSUER_URI = http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG]         Signature Algorithm: sha256WithRSAEncryption
[DBG] extracting cert attribute subjectAlternativeName
[DBG] subjectAlternativeName = xfiles.roechling-automotive.com www.xfiles.roechling-automotive.com
[DBG] check CN                   xfiles.roechling-automotive.com
[DBG] COMMON_NAME              = xfiles.roechling-automotive.com
[DBG] ALTNAMES                 = 1
[DBG] SUBJECT_ALTERNATIVE_NAME = xfiles.roechling-automotive.com www.xfiles.roechling-automotive.com
[DBG] Checking if xfiles.roechling-automotive.com is an IP address
[DBG] xfiles.roechling-automotive.com is not an IP address
[DBG]  CN check finished
[DBG] Checking expiration date
[DBG] Number of certificates in CA chain: 3
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 1
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 1 (xfiles.roechling-automotive.com)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 1 (xfiles.roechling-automotive.com) is Dec 11 23:59:59 2021 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Dec 11 23:59:59 2021 GMT'
[DBG] Hours until Dec 11 23:59:59 2021 GMT: 1623
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="xfiles.roechling-automotive.com", element=1} 67
[DBG]   valid for 67 days
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 (xfiles.roechling-automotive.com)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 1 (xfiles.roechling-automotive.com)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="xfiles.roechling-automotive.com", element=1} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 1
[DBG] temporary file /tmp/joT30d created
[DBG] Storing the chain element in /tmp/joT30d
[DBG] Checking revokation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: 40f874cc
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG] checking issuer URIs: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG] OCSP: fetching issuer certificate http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt to /tmp/ka9FVY
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --location \"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt\" > /tmp/ka9FVY
[DBG]   start time = 1633423264
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --location \"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt\" > /tmp/ka9FVY"
[DBG]   end time = 1633423264
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): HTML document, ASCII text, with CRLF line terminators
[DBG] OCSP: issuer certificate type (2): HTML document, ASCII text, with CRLF line terminators
[DBG] OCSP: issuer certificate type (3): HTML document, ASCII text, with CRLF line terminators
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP: URIs = http://ocsp.sectigo.com
[DBG] OCSP: URI = http://ocsp.sectigo.com
[DBG] OCSP: host = ocsp.sectigo.com
[DBG] openssl ocsp supports the -header option
[DBG] /usr/bin/openssl ocsp -header requires 'key=value'
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer /tmp/ka9FVY -cert /tmp/joT30d  -url http://ocsp.sectigo.com  -header HOST=ocsp.sectigo.com
[DBG] OCSP: response = unable to load certificate
[DBG] OCSP: response = 140643432031552:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
[DBG] OCSP: not good. HTTP_PROXY =
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer "/tmp/ka9FVY" -cert "/tmp/joT30d" -url "http://ocsp.sectigo.com" "" 2>&1
[DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[DBG] prepend_critical_message: new message    = OCSP error (-v for details)
[DBG] prepend_critical_message: CRITICAL_MSG   =
[DBG] prepend_critical_message: ALL_MSG 1      =
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL xfiles.roechling-automotive.com: OCSP error (-v for details)
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL xfiles.roechling-automotive.com: OCSP error (-v for details)
[DBG] prepend_critical_message: ALL_MSG 2      =
[DBG]     SSL_CERT CRITICAL xfiles.roechling-automotive.com: OCSP error (-v for details)
[DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 2
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 2 (Sectigo RSA Organization Validation Secure Server CA)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 2 (Sectigo RSA Organization Validation Secure Server CA) is Dec 31 23:59:59 2030 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Dec 31 23:59:59 2030 GMT'
[DBG] Hours until Dec 31 23:59:59 2030 GMT: 80991
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="xfiles.roechling-automotive.com", element=2} 3374
[DBG]   valid for 3374 days
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2 (Sectigo RSA Organization Validation Secure Server CA)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 2 (Sectigo RSA Organization Validation Secure Server CA)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 2
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="xfiles.roechling-automotive.com", element=2} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 2
[DBG] temporary file /tmp/jN1Ogp created
[DBG] Storing the chain element in /tmp/jN1Ogp
[DBG] Checking revokation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: fc5a8f99
[DBG] extracting cert attribute issuer_uri
[DBG] Chain element issuer URIs: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
[DBG] checking issuer URIs: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
[DBG] OCSP: fetching issuer certificate http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt to /tmp/ka9FVY
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --location \"http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt\" > /tmp/ka9FVY
[DBG]   start time = 1633423264
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --location \"http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt\" > /tmp/ka9FVY"
[DBG]   end time = 1633423264
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): data
[DBG] OCSP: issuer certificate type (2): data
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: issuer certificate type (3): PEM certificate
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP: URIs = http://ocsp.usertrust.com
[DBG] OCSP: URI = http://ocsp.usertrust.com
[DBG] OCSP: host = ocsp.usertrust.com
[DBG] openssl ocsp supports the -header option
[DBG] /usr/bin/openssl ocsp -header requires 'key=value'
[DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer /tmp/ka9FVY -cert /tmp/jN1Ogp  -url http://ocsp.usertrust.com  -header HOST=ocsp.usertrust.com
[DBG] OCSP: response = Response verify OK
[DBG] OCSP: response = /tmp/jN1Ogp: good
[DBG] OCSP: response =  This Update: Oct  4 02:23:01 2021 GMT
[DBG] OCSP: response =  Next Update: Oct 11 02:23:01 2021 GMT
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 3
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 3 (USERTrust RSA Certification Authority)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 3 (USERTrust RSA Certification Authority) is Dec 31 23:59:59 2028 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Dec 31 23:59:59 2028 GMT'
[DBG] Hours until Dec 31 23:59:59 2028 GMT: 63471
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="xfiles.roechling-automotive.com", element=3} 2644
[DBG]   valid for 2644 days
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 3 (USERTrust RSA Certification Authority)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 3 (USERTrust RSA Certification Authority)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 3
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="xfiles.roechling-automotive.com", element=3} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 3
[DBG] temporary file /tmp/YtB3f7 created
[DBG] Storing the chain element in /tmp/YtB3f7
[DBG] Checking revokation via OCSP
[DBG] extracting cert attribute issuer_hash
[DBG] Issuer hash: ee64a828
[DBG] extracting cert attribute issuer_uri
[DBG] openssl_version 1.1.0
[DBG] Checking if OpenSSL version is at least 1.1.0 ( '1' '1' '0' ':0' )
[DBG] openssl version: OpenSSL 1.1.1f  31 Mar 2020
[DBG] Current version 1.1.1f ( '1' '1' '1' 'f:102' )
[DBG]   true
[DBG] Checking Signed Certificate Timestamps (SCTs)
[DBG] extracting cert attribute sct
[DBG] cleaning up temporary files
[DBG]
[DBG] /tmp/WXSz5u
[DBG] /tmp/BauvOc
[DBG] /tmp/sBRGB9
[DBG] /tmp/qsF1dX
[DBG] /tmp/Ybr157
[DBG] /tmp/ka9FVY
[DBG] /tmp/6YZIqg
[DBG] /tmp/joT30d
[DBG] /tmp/jN1Ogp
[DBG] /tmp/YtB3f7
[DBG] exiting with CRITICAL
[DBG] ALL_MSG =
[DBG]     SSL_CERT CRITICAL xfiles.roechling-automotive.com: OCSP error (-v for details)
[DBG] number of errors = 1
SSL_CERT CRITICAL xfiles.roechling-automotive.com: OCSP error (-v for details)|days_chain_elem1=67;20;15;; days_chain_elem2=3374;20;15;; days_chain_elem3=2644;20;15;;
matteocorti commented 2 years ago

I'll check but I cannot reproduce it on my machines (including Ubuntu 20.04.3 LTS):

$ ./check_ssl_cert -H  www.heise.de
SSL_CERT OK - x509 certificate 'www.heise.de' from 'Sectigo RSA Domain Validation Secure Server CA' valid until Jun 10 23:59:59 2022 GMT (expires in 248 days)|days_chain_elem1=248;20;15;; days_chain_elem2=3374;20;15;;
$ ./check_ssl_cert -H xfiles.roechling-automotive.com 
SSL_CERT OK - x509 certificate 'xfiles.roechling-automotive.com' from 'Sectigo RSA Organization Validation Secure Server CA' valid until Dec 11 23:59:59 2021 GMT (expires in 67 days)|days_chain_elem1=67;20;15;; days_chain_elem2=3374;20;15;; days_chain_elem3=2644;20;15;;
matteocorti commented 2 years ago

The problem is here:

DBG] Chain element issuer URIs: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG] checking issuer URIs: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG] OCSP: fetching issuer certificate http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt to /tmp/ka9FVY
[DBG] executing with timeout (120s): /usr/bin/curl    --silent --location \"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt\" > /tmp/ka9FVY
[DBG]   start time = 1633423264
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl    --silent --location \"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt\" > /tmp/ka9FVY"
[DBG]   end time = 1633423264
[DBG]   new timeout = 120
[DBG] OCSP: issuer certificate type (1): HTML document, ASCII text, with CRLF line terminators
[DBG] OCSP: issuer certificate type (2): HTML document, ASCII text, with CRLF line terminators
[DBG] OCSP: issuer certificate type (3): HTML document, ASCII text, with CRLF line terminators

Why an HTML document?

What do you get with:

$ curl http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
tsteuerer commented 2 years ago

Hello Matteo, with curl http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt I get

Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.

I also tried this:

# /usr/bin/curl    --silent --location http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt > /tmp/ka9FVY
# file /tmp/ka9FVY
/tmp/ka9FVY: data
# ls -l  /tmp/ka9FVY
-rw-r--r-- 1 root root 1565 Oct  5 16:49 /tmp/ka9FVY

Looked pretty normal, so I tried the plugin again:

# ./check_ssl_cert -H www.heise.de
SSL_CERT OK - x509 certificate 'www.heise.de' from 'Sectigo RSA Domain Validation Secure Server CA' valid until Jun 10 23:59:59 2022 GMT (expires in 248 days)|days_chain_elem1=248;20;15;; days_chain_elem2=3374;20;15;;

Same for xfiles.roechling-automotive.com. It's also working. Looks like I cannot reproduce the Error anymore.

matteocorti commented 2 years ago

It seems that an HTML page with an error was returned. I'll try to catch it and generate a better error.

matteocorti commented 2 years ago

I'll close the issue until we can reproduce it ...