search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
363 stars 133 forks source link

After migrating to RHEL8 from RHEL6 the plugin returns a CRITICAL #333

Closed eloyseba closed 2 years ago

eloyseba commented 2 years ago

Describe the bug

After migrating to RHEL8 from RHEL6 (openssl updated from 1.0.1 to 1.1.1 the plugin returns a CRITICAL, whe it was working fine.

To Reproduce

Test the same url in RHEL8.

Expected behavior

The plugin was working fine in RHEL6, but after migrating to RHEL8 it returs a CRITICAL with this message:

invalid organization ('Ibermutua' does not match ............

System (please complete the following information):

Additional context/output

I attach the complete trace with debug option:

IN RHEL6:

./check_ssl_cert -H analiticas.ibermutua.es -o Ibermutua -P https -c 1 -s -d [DBG] Command line arguments: -H analiticas.ibermutua.es -o Ibermutua -P https -c 1 -s -d [DBG] SNI = [DBG] HOST_NAME = analiticas.ibermutua.es [DBG] HOST_ADDR = analiticas.ibermutua.es [DBG] COMMON_NAME = HOST [DBG] COMMON_NAME = analiticas.ibermutua.es [DBG] -c specified: 1 [DBG] ROOT_CA = [DBG] file version: file-5.04 [DBG] magic file from /etc/magic:/usr/share/misc/magic [DBG] cURL binary needed. SSL Labs = , OCSP = 1, CURL = [DBG] cURL binary not specified [DBG] cURL available: /usr/bin/curl [DBG] curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 [DBG] Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp [DBG] Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz [DBG] nmap binary not needed. No disallowed protocols [DBG] perl available: /usr/bin/perl [DBG] date available: /bin/date [DBG] checking date version [DBG] date computation type: GNU [DBG] check_ssl_cert version: 2.6.0 [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL info: [DBG] OpenSSL 1.0.1e-fips 11 Feb 2013 [DBG] built on: Mon Jan 30 07:47:24 EST 2017 [DBG] platform: linux-x86_64 [DBG] options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) [DBG] compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM [DBG] OPENSSLDIR: "/etc/pki/tls" [DBG] engines: dynamic [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 151 root certificates installed by default [DBG] System info: Linux ibnagios 2.6.32-754.14.2.el6.x86_64 #1 SMP Wed Apr 24 16:18:30 EDT 2019 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername analiticas.ibermutua.es [DBG] temporary file /tmp/fIKki6 created [DBG] temporary file /tmp/2xyiIG created [DBG] temporary file /tmp/SBCLHS created [DBG] temporary file /tmp/jERP7E created [DBG] temporary file /tmp/s5kfMp created [DBG] temporary file /tmp/riEA22 created [DBG] temporary file /tmp/OkTtli created [DBG] analiticas.ibermutua.es is not an IP address [DBG] Adding -ign_eof to the options [DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1\nHost: analiticas.ibermutua.es\nUser-Agent: check_ssl_cert/2.6.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_eof -connect analiticas.ibermutua.es:443 -servername analiticas.ibermutua.es -showcerts -verify 6 2> /tmp/2xyiIG 1> /tmp/fIKki6 [DBG] start time = 1634902167 [DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1\nHost: analiticas.ibermutua.es\nUser-Agent: check_ssl_cert/2.6.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_eof -connect analiticas.ibermutua.es:443 -servername analiticas.ibermutua.es -showcerts -verify 6 2> /tmp/2xyiIG 1> /tmp/fIKki6" [DBG] end time = 1634902168 [DBG] new timeout = 119 [DBG] Return value of the command = 0 [DBG] checking TLS renegotiation [DBG] executing with timeout (119s): printf 'R\n' | /usr/bin/openssl s_client -crlf -connect analiticas.ibermutua.es:443 2>&1 | grep -F -q err [DBG] start time = 1634902168 [DBG] /usr/bin/timeout 119 /bin/sh -c "printf 'R\n' | /usr/bin/openssl s_client -crlf -connect analiticas.ibermutua.es:443 2>&1 | grep -F -q err" [DBG] end time = 1634902168 [DBG] new timeout = 119 [DBG] Skipping 0 element of the chain [DBG] ISSUERS = [DBG] issuer= C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K\nissuer= C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 [DBG] ISSUERS = [DBG] O = "Entrust [DBG] CN = Entrust Certification Authority - L1K [DBG] O = "Entrust [DBG] CN = Entrust Root Certification Authority - G2 [DBG] subject= C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social Número 274, CN = .ibermutua.es [DBG] CN = .ibermutua.es [DBG] CA = O = "Entrust [DBG] CA = CN = Entrust Certification Authority - L1K [DBG] CA = O = "Entrust [DBG] CA = CN = Entrust Root Certification Authority - G2 [DBG] SERIAL = 31AA7D5133093155F0BA6CF99E8D7AF4 [DBG] FINGERPRINT= 52:4C:E3:3E:F2:D3:5B:F4:39:92:B3:77:04:A3:BE:E5:20:21:B2:B9 [DBG] OCSP_URI = http://ocsp.entrust.net [DBG] ISSUER_URI = http://aia.entrust.net/l1k-chain256.cer [DBG] Signature Algorithm: sha256WithRSAEncryption [DBG] subjectAlternativeName = .ibermutua.es [DBG] check CN .ibermutua.es [DBG] COMMON_NAME = analiticas.ibermutua.es [DBG] ALTNAMES = 1 [DBG] SUBJECT_ALTERNATIVENAME = *.ibermutua.es [DBG] Checking if analiticas.ibermutua.es is an IP address [DBG] analiticas.ibermutua.es is not an IP address [DBG] checking if the common name matches ^[A-Za-z0-9-][.]ibermutua[.]es$ [DBG] the common name analiticas.ibermutua.es matches ^[A-Za-z0-9_-][.]ibermutua[.]es$ [DBG] checking if the common name matches ^.ibermutua.es$ [DBG] CN check finished [DBG] Checking expiration date [DBG] Number of certificates in CA chain: 2 [DBG] Skipping 0 element of the chain [DBG] ------------------------------------------------------------------------------ [DBG] Checking expiration date of element 1 [DBG] Validity date on cert element 1 is Feb 12 12:17:15 2022 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Feb 12 12:17:15 2022 GMT' [DBG] Hours until Feb 12 12:17:15 2022 GMT: 2712 [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn=".ibermutua.es", element=1} 113 [DBG] valid for 113 days [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 86400 on cert element 1 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1 [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn=".ibermutua.es", element=1} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 1 [DBG] temporary file /tmp/AmtP7G created [DBG] Storing the chain element in /tmp/AmtP7G [DBG] Checking revokation via OCSP [DBG] Issuer hash: 2835d715 [DBG] Chain element issuer URIs: http://aia.entrust.net/l1k-chain256.cer [DBG] checking issuer URIs: http://aia.entrust.net/l1k-chain256.cer [DBG] OCSP: fetching issuer certificate http://aia.entrust.net/l1k-chain256.cer to /tmp/riEA22 [DBG] executing with timeout (119s): /usr/bin/curl --silent --location \"http://aia.entrust.net/l1k-chain256.cer\" > /tmp/riEA22 [DBG] start time = 1634902168 [DBG] /usr/bin/timeout 119 /bin/sh -c "/usr/bin/curl --silent --location \"http://aia.entrust.net/l1k-chain256.cer\" > /tmp/riEA22" [DBG] end time = 1634902168 [DBG] new timeout = 119 [DBG] OCSP: issuer certificate type (1): empty [DBG] OCSP: issuer certificate type (2): empty [DBG] OCSP empty certificate detected: skipping [DBG] ------------------------------------------------------------------------------ [DBG] Checking expiration date of element 2 [DBG] Validity date on cert element 2 is Dec 5 19:43:56 2030 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Dec 5 19:43:56 2030 GMT' [DBG] Hours until Dec 5 19:43:56 2030 GMT: 79952 [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn=".ibermutua.es", element=2} 3331 [DBG] valid for 3331 days [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 86400 on cert element 2 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 2 [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn=".ibermutua.es", element=2} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 2 [DBG] temporary file /tmp/f6tWx3 created [DBG] Storing the chain element in /tmp/f6tWx3 [DBG] Checking revokation via OCSP [DBG] Issuer hash: 02265526 [DBG] Checking organization Ibermutua [DBG] output parameters: CA_ISSUER_MATCHED = Entrust Certification Authority - L1K [DBG] output parameters: CHECKEDNAMES = (analiticas.ibermutua.es) [DBG] output parameters: CN = .ibermutua.es [DBG] output parameters: DATE = Feb 12 12:17:15 2022 GMT [DBG] output parameters: DAYS_VALID = (expires in 113 days) [DBG] output parameters: DYSPLAY_CN = '.ibermutua.es' [DBG] output parameters: OPENSSL_COMMAND = x509 [DBG] output parameters: SELFSIGNEDCERT = [DBG] output parameters: SHORTNAME = SSL_CERT [DBG] output parameters: OCSP_EXPIRES_IN_HOURS = [DBG] output parameters: SSL_LABS_HOST_GRADE = SSL_CERT OK - x509 certificate '.ibermutua.es' (analiticas.ibermutua.es) from 'Entrust Certification Authority - L1K' valid until Feb 12 12:17:15 2022 GMT (expires in 113 days)|days_chain_elem1=113;20;1;; days_chain_elem2=3331;20;1;; [DBG] cleaning up temporary files [DBG] [DBG] /tmp/fIKki6 [DBG] /tmp/2xyiIG [DBG] /tmp/SBCLHS [DBG] /tmp/jERP7E [DBG] /tmp/s5kfMp [DBG] /tmp/riEA22 [DBG] /tmp/OkTtli [DBG] /tmp/AmtP7G [DBG] /tmp/f6tWx3

IN RHEL8:

./check_ssl_cert -H analiticas.ibermutua.es -o Ibermutua -P https -c 1 -s -d [DBG] Command line arguments: -H analiticas.ibermutua.es -o Ibermutua -P https -c 1 -s -d [DBG] SNI = [DBG] HOST_NAME = analiticas.ibermutua.es [DBG] HOST_ADDR = analiticas.ibermutua.es [DBG] COMMON_NAME = HOST [DBG] COMMON_NAME = analiticas.ibermutua.es [DBG] -c specified: 1 [DBG] ROOT_CA = [DBG] file version: file-5.33 [DBG] magic file from /etc/magic:/usr/share/misc/magic [DBG] cURL binary needed. SSL Labs = , OCSP = 1, CURL = [DBG] cURL binary not specified [DBG] cURL available: /usr/bin/curl [DBG] curl 7.61.1 (x86_64-redhat-linux-gnu) libcurl/7.61.1 OpenSSL/1.1.1g zlib/1.2.11 brotli/1.0.6 libidn2/2.2.0 libpsl/0.20.2 (+libidn2/2.2.0) libssh/0.9.4/openssl/zlib nghttp2/1.33.0 [DBG] Release-Date: 2018-09-05 [DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp [DBG] Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz brotli TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL Metalink [DBG] nmap binary not needed. No disallowed protocols [DBG] perl available: /usr/bin/perl [DBG] date available: /usr/bin/date [DBG] checking date version [DBG] date computation type: GNU [DBG] check_ssl_cert version: 2.6.0 [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL info: [DBG] OpenSSL 1.1.1g FIPS 21 Apr 2020 [DBG] built on: Mon Jul 20 13:09:52 2020 UTC [DBG] platform: linux-x86_64 [DBG] options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr) [DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config" [DBG] OPENSSLDIR: "/etc/pki/tls" [DBG] ENGINESDIR: "/usr/lib64/engines-1.1" [DBG] Seeding source: os-specific [DBG] engines: rdrand dynamic [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 138 root certificates installed by default [DBG] System info: Linux ibnagios 4.18.0-240.el8.x86_64 #1 SMP Wed Sep 23 05:13:10 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername analiticas.ibermutua.es [DBG] '/usr/bin/openssl s_client' supports '-name': using ibnagios [DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost analiticas.ibermutua.es [DBG] temporary file /tmp/r5cp6c created [DBG] temporary file /tmp/Hxc1hv created [DBG] temporary file /tmp/l8Wsdq created [DBG] temporary file /tmp/D8AscY created [DBG] temporary file /tmp/PAscxa created [DBG] temporary file /tmp/zxi25T created [DBG] temporary file /tmp/dfWvZF created [DBG] analiticas.ibermutua.es is not an IP address [DBG] Adding -ign_eof to the options [DBG] executing with timeout (120s): printf 'HEAD / HTTP/1.1\nHost: analiticas.ibermutua.es\nUser-Agent: check_ssl_cert/2.6.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_eof -connect analiticas.ibermutua.es:443 -servername analiticas.ibermutua.es -showcerts -verify 6 2> /tmp/Hxc1hv 1> /tmp/r5cp6c [DBG] start time = 1634902203 [DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1\nHost: analiticas.ibermutua.es\nUser-Agent: check_ssl_cert/2.6.0\nConnection: close\n\n' | /usr/bin/openssl s_client -crlf -ign_eof -connect analiticas.ibermutua.es:443 -servername analiticas.ibermutua.es -showcerts -verify 6 2> /tmp/Hxc1hv 1> /tmp/r5cp6c" [DBG] end time = 1634902203 [DBG] new timeout = 120 [DBG] Return value of the command = 0 [DBG] checking TLS renegotiation [DBG] executing with timeout (120s): printf 'R\n' | /usr/bin/openssl s_client -crlf -connect analiticas.ibermutua.es:443 2>&1 | grep -F -q err [DBG] start time = 1634902203 [DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'R\n' | /usr/bin/openssl s_client -crlf -connect analiticas.ibermutua.es:443 2>&1 | grep -F -q err" [DBG] end time = 1634902203 [DBG] new timeout = 120 [DBG] Skipping 0 element of the chain [DBG] ISSUERS = [DBG] issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K\nissuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2 [DBG] ISSUERS = [DBG] O = "Entrust [DBG] CN = Entrust Certification Authority - L1K [DBG] O = "Entrust [DBG] CN = Entrust Root Certification Authority - G2 [DBG] subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social Número 274, CN = .ibermutua.es [DBG] CN = .ibermutua.es [DBG] CA = O = "Entrust [DBG] CA = CN = Entrust Certification Authority - L1K [DBG] CA = O = "Entrust [DBG] CA = CN = Entrust Root Certification Authority - G2 [DBG] SERIAL = 31AA7D5133093155F0BA6CF99E8D7AF4 [DBG] FINGERPRINT= 52:4C:E3:3E:F2:D3:5B:F4:39:92:B3:77:04:A3:BE:E5:20:21:B2:B9 [DBG] OCSP_URI = http://ocsp.entrust.net [DBG] ISSUER_URI = http://aia.entrust.net/l1k-chain256.cer [DBG] Signature Algorithm: sha256WithRSAEncryption [DBG] subjectAlternativeName = .ibermutua.es [DBG] check CN .ibermutua.es [DBG] COMMON_NAME = analiticas.ibermutua.es [DBG] ALTNAMES = 1 [DBG] SUBJECT_ALTERNATIVENAME = *.ibermutua.es [DBG] Checking if analiticas.ibermutua.es is an IP address [DBG] analiticas.ibermutua.es is not an IP address [DBG] checking if the common name matches ^[A-Za-z0-9-][.]ibermutua[.]es$ [DBG] the common name analiticas.ibermutua.es matches ^[A-Za-z0-9_-][.]ibermutua[.]es$ [DBG] checking if the common name matches ^.ibermutua.es$ [DBG] CN check finished [DBG] Checking expiration date [DBG] Number of certificates in CA chain: 2 [DBG] Skipping 0 element of the chain [DBG] ------------------------------------------------------------------------------ [DBG] Checking expiration date of element 1 [DBG] Validity date on cert element 1 is Feb 12 12:17:15 2022 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Feb 12 12:17:15 2022 GMT' [DBG] Hours until Feb 12 12:17:15 2022 GMT: 2712 [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn=".ibermutua.es", element=1} 113 [DBG] valid for 113 days [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 86400 on cert element 1 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1 [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn=".ibermutua.es", element=1} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 1 [DBG] temporary file /tmp/NMtyeH created [DBG] Storing the chain element in /tmp/NMtyeH [DBG] Checking revokation via OCSP [DBG] Issuer hash: 2835d715 [DBG] Chain element issuer URIs: http://aia.entrust.net/l1k-chain256.cer [DBG] checking issuer URIs: http://aia.entrust.net/l1k-chain256.cer [DBG] OCSP: fetching issuer certificate http://aia.entrust.net/l1k-chain256.cer to /tmp/zxi25T [DBG] executing with timeout (120s): /usr/bin/curl --silent --location \"http://aia.entrust.net/l1k-chain256.cer\" > /tmp/zxi25T [DBG] start time = 1634902203 [DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl --silent --location \"http://aia.entrust.net/l1k-chain256.cer\" > /tmp/zxi25T" [DBG] end time = 1634902203 [DBG] new timeout = 120 [DBG] OCSP: issuer certificate type (1): empty [DBG] OCSP: issuer certificate type (2): empty [DBG] OCSP empty certificate detected: skipping [DBG] ------------------------------------------------------------------------------ [DBG] Checking expiration date of element 2 [DBG] Validity date on cert element 2 is Dec 5 19:43:56 2030 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Dec 5 19:43:56 2030 GMT' [DBG] Hours until Dec 5 19:43:56 2030 GMT: 79952 [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn=".ibermutua.es", element=2} 3331 [DBG] valid for 3331 days [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 86400 on cert element 2 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 2 [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn=".ibermutua.es", element=2} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 2 [DBG] temporary file /tmp/4cYiOo created [DBG] Storing the chain element in /tmp/4cYiOo [DBG] Checking revokation via OCSP [DBG] Issuer hash: 02265526 [DBG] Checking organization Ibermutua [DBG] CRITICAL >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> [DBG] prepend_critical_message: new message = invalid organization ('Ibermutua' does not match 'subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, CN = .ibermutua.es') [DBG] prepend_critical_message: CRITICAL_MSG = [DBG] prepend_critical_message: ALL_MSG 1 = [DBG] prepend_critical_message: MSG 2 = SSL_CERT CRITICAL .ibermutua.es: invalid organization ('Ibermutua' does not match 'subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, CN = .ibermutua.es') [DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL .ibermutua.es: invalid organization ('Ibermutua' does not match 'subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, CN = .ibermutua.es') [DBG] prepend_critical_message: ALL_MSG 2 = \n SSL_CERT CRITICAL .ibermutua.es: invalid organization ('Ibermutua' does not match 'subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, CN = .ibermutua.es') [DBG] CRITICAL <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< [DBG] cleaning up temporary files [DBG] [DBG] /tmp/r5cp6c [DBG] /tmp/Hxc1hv [DBG] /tmp/l8Wsdq [DBG] /tmp/D8AscY [DBG] /tmp/PAscxa [DBG] /tmp/zxi25T [DBG] /tmp/dfWvZF [DBG] /tmp/NMtyeH [DBG] /tmp/4cYiOo [DBG] exiting with CRITICAL [DBG] ALL_MSG = \n SSL_CERT CRITICAL .ibermutua.es: invalid organization ('Ibermutua' does not match 'subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, CN = .ibermutua.es') [DBG] number of errors = 1 SSL_CERT CRITICAL .ibermutua.es: invalid organization ('Ibermutua' does not match 'subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social N\C3\BAmero 274, CN = .ibermutua.es')|days_chain_elem1=113;20;1;; days_chain_elem2=3331;20;1;;

After investigating the issue, I think that the problem could be the format output after migrating, because in the traces we can see:

RHEL6:

[DBG] subject= C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social Número 274, CN = *.ibermutua.es

RHEL8:

[DBG] subject=C = ES, L = Madrid, O = Ibermutua Mutua Colaboradora con la Seguridad Social Número 274, CN = *.ibermutua.es

Thank you very much for your help and kind regards.

matteocorti commented 2 years ago

The server is not reachable but the problem can also be reproduced with:

./check_ssl_cert -H ibermutua.es -o ibermutua
eloyseba commented 2 years ago

Thank you very much for your response Matteo, but the server is reachable, as you can see below:

ping analiticas.ibermutua.es PING analiticas.ibermutua.es (10.0.80.41) 56(84) bytes of data. 64 bytes from analiticas.ibermutua.es (10.0.80.41): icmp_seq=1 ttl=254 time=0.768 ms 64 bytes from analiticas.ibermutua.es (10.0.80.41): icmp_seq=2 ttl=254 time=0.733 ms

The host is analiticas.ibermutua.es.

Regards.

matteocorti commented 2 years ago

Not from my IP: 

corti@MacBook-Pro-von-Matteo ~> telnet analiticas.ibermutua.es 443
Trying 212.163.3.196...

and 

corti@MacBook-Pro-von-Matteo ~> ping analiticas.ibermutua.es 
PING analiticas.ibermutua.es (212.163.3.196): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- analiticas.ibermutua.es ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss
eloyseba commented 2 years ago

Sorry Matteo, yes, is an internal URL.

You can test with: https://blog.ibermutua.es

Thank you very much.

matteocorti commented 2 years ago

No problem, I can also reproduce it with https://ibermutua.es.

matteocorti commented 2 years ago

It's fixed. You can specify any valid regex with -o.

But you should aviuberoid to test for ibermutua as it is also in the CN which is part of the org.

You could try with

./check_ssl_cert -H ibermutua.es -o 'Madrid.*Ibermutua'
matteocorti commented 2 years ago

Sorry forget my last comment, still not working ...

eloyseba commented 2 years ago

Thank you very much Matteo, it's working fine now.

Regards.