search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
368 stars 132 forks source link

Checking Microsoft SQL Encryption in Transit TLS Cert expiration #420

Closed matteocorti closed 1 year ago

matteocorti commented 1 year ago

Discussed in https://github.com/matteocorti/check_ssl_cert/discussions/417

Originally posted by **jax7778** October 12, 2022 Hello! I have been trying to use the check_ssl_cert plugin to check the expiration dates on our MS SQL encryption in Transit certs, but I am not having an luck so far. We are in the process of moving all of our MS SQL environments to encryption in transit and I would love to use Nagios to monitor the certs. We are using an Internal CA cert, and we have verified that the encryption in transit is fully functional,(packets are being encrypted, and clients can connect) but I can't get Nagios to check it. Here is an example just running from the command line basic arguments. I have included the results with the server FQDN replaced: ``` check_ssl_cert -H fqdn.domain.local -p 1433 SSL_CERT CRITICAL fqdn.domain.local: SSL error: 139726949517200: error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:Error(s): SSL_CERT CRITICAL fqdn.domain.local: No certificate returnedSSL_CERT CRITICAL fqdn.domain.local: SSL error: 139726949517200:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: ``` It was recommended on another forum to try to connect with the openssl s_client, so i attempted that as well, here is the output, again with the FQDN replaced: ``` openssl s_client -connect fqdn.domain.local:1433 CONNECTED(00000003) 140127202801552:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 289 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1664920458 Timeout : 300 (sec) Verify return code: 0 (ok) ``` Any help is greatly appreciated. Thanks in advance.
matteocorti commented 1 year ago

Not working as expected (see linked discussion)