Closed tsteuerer closed 2 years ago
I'll check but I cannot reproduce it on my machines (including Ubuntu 20.04.3 LTS):
$ ./check_ssl_cert -H www.heise.de
SSL_CERT OK - x509 certificate 'www.heise.de' from 'Sectigo RSA Domain Validation Secure Server CA' valid until Jun 10 23:59:59 2022 GMT (expires in 248 days)|days_chain_elem1=248;20;15;; days_chain_elem2=3374;20;15;;
$ ./check_ssl_cert -H xfiles.roechling-automotive.com
SSL_CERT OK - x509 certificate 'xfiles.roechling-automotive.com' from 'Sectigo RSA Organization Validation Secure Server CA' valid until Dec 11 23:59:59 2021 GMT (expires in 67 days)|days_chain_elem1=67;20;15;; days_chain_elem2=3374;20;15;; days_chain_elem3=2644;20;15;;
The problem is here:
DBG] Chain element issuer URIs: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG] checking issuer URIs: http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
[DBG] OCSP: fetching issuer certificate http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt to /tmp/ka9FVY
[DBG] executing with timeout (120s): /usr/bin/curl --silent --location \"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt\" > /tmp/ka9FVY
[DBG] start time = 1633423264
[DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl --silent --location \"http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt\" > /tmp/ka9FVY"
[DBG] end time = 1633423264
[DBG] new timeout = 120
[DBG] OCSP: issuer certificate type (1): HTML document, ASCII text, with CRLF line terminators
[DBG] OCSP: issuer certificate type (2): HTML document, ASCII text, with CRLF line terminators
[DBG] OCSP: issuer certificate type (3): HTML document, ASCII text, with CRLF line terminators
Why an HTML document?
What do you get with:
$ curl http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
Hello Matteo,
with
curl http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt
I get
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
I also tried this:
# /usr/bin/curl --silent --location http://crt.sectigo.com/SectigoRSAOrganizationValidationSecureServerCA.crt > /tmp/ka9FVY
# file /tmp/ka9FVY
/tmp/ka9FVY: data
# ls -l /tmp/ka9FVY
-rw-r--r-- 1 root root 1565 Oct 5 16:49 /tmp/ka9FVY
Looked pretty normal, so I tried the plugin again:
# ./check_ssl_cert -H www.heise.de
SSL_CERT OK - x509 certificate 'www.heise.de' from 'Sectigo RSA Domain Validation Secure Server CA' valid until Jun 10 23:59:59 2022 GMT (expires in 248 days)|days_chain_elem1=248;20;15;; days_chain_elem2=3374;20;15;;
Same for xfiles.roechling-automotive.com. It's also working. Looks like I cannot reproduce the Error anymore.
It seems that an HTML page with an error was returned. I'll try to catch it and generate a better error.
I'll close the issue until we can reproduce it ...
I get an OCSP error on all of our domains. So I did a check on some external domains and found e.g. that a check on heise.de works, but a check on www.heise.de throws an OCSP error as well. Heise is the most popular publisher of IT Magazines here in Germany, so I think their certificates are in order. I could disable OCSP check with --ignore-ocsp, then the checks succeed, but OCSP check is exactly what I need, because we ran into an issue with revoked certificates before.
To Reproduce
System
Output of
./check_ssl_cert -H xfiles.roechling-automotive.com -d