Closed lukastribus closed 1 year ago
Describe the bug
Despite running with --ignore-ocsp-errors --ignore-ocsp-timeout a OCSP error leads to a CRITICAL exit code.
--ignore-ocsp-errors --ignore-ocsp-timeout
To Reproduce
check_ssl_cert --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v
However I'd assume the actual OCSP error will be gone in a few hours.
Expected behavior
Actually ignore this OCSP error as per command line argument and return OK.
System (please complete the following information):
openssl version
Additional context/output
lukas@htznr2:~$ /home/lukas/check_ssl_cert --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v [DBG] Shell: /bin/bash [DBG] GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu) [DBG] Copyright (C) 2019 Free Software Foundation, Inc. [DBG] License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> [DBG] [DBG] This is free software; you are free to change and redistribute it. [DBG] There is NO WARRANTY, to the extent permitted by law. [DBG] grep: grep [DBG] grep (GNU grep) 3.4 [DBG] Copyright (C) 2020 Free Software Foundation, Inc. [DBG] License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>. [DBG] This is free software: you are free to change and redistribute it. [DBG] There is NO WARRANTY, to the extent permitted by law. [DBG] [DBG] Written by Mike Haertel and others; see [DBG] <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>. [DBG] hostname: /bin/hostname [DBG] $PATH: /home/lukas/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin [DBG] Command line arguments: --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v [DBG] TMPDIR = /tmp [DBG] Required HTTP headers: [DBG] Unrequired HTTP headers: [DBG] Adding the domain if missing [DBG] HOST = pop3.mailbox.org [DBG] SNI = [DBG] HOST_NAME = pop3.mailbox.org [DBG] HOST_ADDR = pop3.mailbox.org [DBG] NAMES_TO_BE_CHECKED = __HOST__ [DBG] Checking if pop3.mailbox.org is an IP address [DBG] pop3.mailbox.org is not an IP address [DBG] HOST_IS_IP. = 0 [DBG] Checking if pop3.mailbox.org is an IP address [DBG] pop3.mailbox.org is not an IP address [DBG] Adding pop3.mailbox.org to NAMES_TO_BE_CHECKED [DBG] NAMES_TO_BE_CHECKED = pop3.mailbox.org [DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI= [DBG] curl binary not specified [DBG] curl available: /usr/bin/curl [DBG] curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3 [DBG] Release-Date: 2020-01-08 [DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp [DBG] Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets [DBG] -c specified: 15 [DBG] -w specified: 20 [DBG] Executing comparison '1728000 <= 1296000' [DBG] bc result = 0 [DBG] returning 1 [DBG] ROOT_CA = [DBG] mktemp available: /bin/mktemp [DBG] file version: file-5.38 [DBG] magic file from /etc/magic:/usr/share/misc/magic [DBG] nmap binary not specified [DBG] nmap available: /usr/bin/nmap [DBG] Checking IPs: host pop3.mailbox.org [DBG] perl available: /usr/bin/perl [DBG] date available: /bin/date [DBG] checking date version [DBG] date computation type: GNU [DBG] check_ssl_cert version: 2.55.0 [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL info: [DBG] OpenSSL 1.1.1f 31 Mar 2020 [DBG] built on: Mon Jul 4 11:24:28 2022 UTC [DBG] platform: debian-amd64 [DBG] options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr) [DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-51ig8V/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2 [DBG] OPENSSLDIR: "/usr/lib/ssl" [DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1" [DBG] Seeding source: os-specific [DBG] OpenSSL configuration directory: /usr/lib/ssl [DBG] 0 root certificates installed by default [DBG] System info: Linux htznr2 5.4.0-131-generic #147-Ubuntu SMP Fri Oct 14 17:07:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername pop3.mailbox.org [DBG] Proxy settings (before): [DBG] http_proxy = [DBG] https_proxy = [DBG] HTTP_PROXY = [DBG] HTTPS_PROXY = [DBG] Proxy settings (after): [DBG] http_proxy = [DBG] https_proxy = [DBG] HTTP_PROXY = [DBG] HTTPS_PROXY = [DBG] s_client = [DBG] curl = [DBG] '/usr/bin/openssl s_client' supports '-name': using htznr2 [DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost pop3.mailbox.org [DBG] HOST_HEADER = pop3.mailbox.org [DBG] Testing connection with pop3.mailbox.org:995 [DBG] Executing: '/usr/bin/nmap -6 --unprivileged -Pn -p 995 pop3.mailbox.org' [DBG] Sanity checks: OK [DBG] temporary file /tmp/vnkO3p created [DBG] temporary file /tmp/S6KdC0 created [DBG] temporary file /tmp/rhkYGI created [DBG] temporary file /tmp/unPuqi created [DBG] temporary file /tmp/Hx7HiW created [DBG] temporary file /tmp/nD25wK created [DBG] temporary file /tmp/GP70jS created [DBG] Temporary files created [DBG] pop3.mailbox.org is not an IP address [DBG] fetch_certificate: PROTOCOL = pop3s [DBG] exec_with_timeout printf 'QUIT [DBG] ' | /usr/bin/openssl s_client -6 -crlf -showcerts -connect pop3.mailbox.org:995 -servername pop3.mailbox.org -verify 6 2> /tmp/S6KdC0 1> /tmp/vnkO3p [DBG] TIMEOUT_REASON = fetching certificate [DBG] executing with timeout (120s): printf 'QUIT [DBG] ' | /usr/bin/openssl s_client -6 -crlf -showcerts -connect pop3.mailbox.org:995 -servername pop3.mailbox.org -verify 6 2> /tmp/S6KdC0 1> /tmp/vnkO3p [DBG] start time = 1669765988 [DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'QUIT [DBG] ' | /usr/bin/openssl s_client -6 -crlf -showcerts -connect pop3.mailbox.org:995 -servername pop3.mailbox.org -verify 6 2> /tmp/S6KdC0 1> /tmp/vnkO3p" [DBG] end time = 1669765988 [DBG] new timeout = 120 [DBG] Return value of the command = 0 [DBG] Negotiated protocol: [DBG] openssl_version 3.0.0 [DBG] Checking if OpenSSL version is at least 3.0.0 ( '3' '0' '0' ':0' ) [DBG] openssl version: OpenSSL 1.1.1f 31 Mar 2020 [DBG] Current version 1.1.1f ( '1' '1' '1' 'f:102' ) [DBG] false [DBG] checking TLS renegotiation [DBG] exec_with_timeout printf 'R [DBG] ' | /usr/bin/openssl s_client -6 -crlf -connect pop3.mailbox.org:995 -servername pop3.mailbox.org 2>&1 | /bin/grep -F -q err [DBG] TIMEOUT_REASON = checking TLS renegotiation [DBG] executing with timeout (120s): printf 'R [DBG] ' | /usr/bin/openssl s_client -6 -crlf -connect pop3.mailbox.org:995 -servername pop3.mailbox.org 2>&1 | /bin/grep -F -q err [DBG] start time = 1669765988 [DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'R [DBG] ' | /usr/bin/openssl s_client -6 -crlf -connect pop3.mailbox.org:995 -servername pop3.mailbox.org 2>&1 | /bin/grep -F -q err" [DBG] end time = 1669765988 [DBG] new timeout = 120 TLS renegotiation OK [DBG] extracting cert attribute enddate [DBG] extracting cert attribute startdate [DBG] extracting cert attribute cn [DBG] extracting cert attribute subject [DBG] SUBJECT = subject=CN = *.mailbox.org [DBG] extracting cert attribute serial [DBG] SERIAL = 0CAE10A9084B9AB44D32BFA3634FBBE6 [DBG] extracting cert attribute version [DBG] X509_VERSION = 3 (0x2) [DBG] extracting cert attribute fingerprint [DBG] FINGERPRINT = BD:8A:1E:32:79:14:4B:A6:A2:07:BA:F0:EC:5A:2F:83:2E:1B:C0:AC [DBG] Checking if x509 supports the -ext option [DBG] extracting cert attribute keyUsage [DBG] Certificate purpose is not defined as critical [DBG] extracting cert attribute oscp_uri_single [DBG] extracting cert attribute oscp_uri [DBG] OCSP_URI = http://status.thawte.com [DBG] Extracting issuers [DBG] Number of certificates in the chain: 2 [DBG] Checking certificate chain [DBG] extracting issuer for element 1 [DBG] extracting cert attribute issuer [DBG] ELEMENT_ISSUER=DigiCert Inc [DBG] ELEMENT_ISSUER=Thawte TLS RSA CA G1 [DBG] ISSUERS=DigiCert Inc [DBG] ISSUERS=Thawte TLS RSA CA G1 [DBG] extracting issuer for element 2 [DBG] extracting cert attribute issuer [DBG] ELEMENT_ISSUER=DigiCert Inc [DBG] ELEMENT_ISSUER=DigiCert Global Root G2 [DBG] ISSUERS=DigiCert Inc [DBG] ISSUERS=Thawte TLS RSA CA G1 [DBG] ISSUERS=DigiCert Inc [DBG] ISSUERS=DigiCert Global Root G2 [DBG] Certificate chain check finished [DBG] ISSUERS = [DBG] DigiCert Inc [DBG] Thawte TLS RSA CA G1 [DBG] DigiCert Inc [DBG] DigiCert Global Root G2 [DBG] extracting cert attribute issuer_uri_single [DBG] extracting cert attribute issuer_uri [DBG] extracting cert attribute sig_algo [DBG] subject=CN = *.mailbox.org [DBG] CN = *.mailbox.org [DBG] CA = DigiCert Inc [DBG] CA = Thawte TLS RSA CA G1 [DBG] CA = DigiCert Inc [DBG] CA = DigiCert Global Root G2 [DBG] SERIAL = 0CAE10A9084B9AB44D32BFA3634FBBE6 [DBG] FINGERPRINT= BD:8A:1E:32:79:14:4B:A6:A2:07:BA:F0:EC:5A:2F:83:2E:1B:C0:AC [DBG] OCSP_URI = http://status.thawte.com [DBG] ISSUER_URI = http://cacerts.thawte.com/ThawteTLSRSACAG1.crt [DBG] rsaEncryption (4096 bit) [DBG] extracting cert attribute subjectAlternativeName [DBG] subjectAlternativeName = *.mailbox.org mailbox.org The certificate for this site contains a Subject Alternative Name extension [DBG] Check the common name and alternative names [DBG] CN = *.mailbox.org [DBG] SUBJECT_ALTERNATIVE_NAME = *.mailbox.org [DBG] SUBJECT_ALTERNATIVE_NAME = mailbox.org [DBG] ALTNAMES = 1 [DBG] NAMES_TO_BE_CHECKED = pop3.mailbox.org [DBG] checking 'pop3.mailbox.org' [DBG] common name [DBG] checking (1) if pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$ [DBG] pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$ [DBG] checking (2) if the pop3.mailbox.org matches ^*.mailbox.org$ [DBG] alternative names [DBG] check altname: *.mailbox.org [DBG] the altname *.mailbox.org begins with a '*' [DBG] checking if (4) pop3.mailbox.org matches ^mailbox.org$ [DBG] checking if (5) pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$ [DBG] pop3.mailbox.org matches ^[A-Za-z0-9_-]*[.]mailbox[.]org$ [DBG] checking if (6) pop3.mailbox.org matches ^*.mailbox.org$ [DBG] check altname: mailbox.org [DBG] CN check finished [DBG] Checking expiration date [DBG] Number of certificates in CA chain: 2 [DBG] ------------------------------------------------------------------------------ [DBG] -- Checking element 1 [DBG] extracting cert attribute cn [DBG] Checking expiration date of element 1 (*.mailbox.org) [DBG] extracting cert attribute enddate [DBG] Validity date on cert element 1 (*.mailbox.org) is Jun 9 23:59:59 2023 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Jun 9 23:59:59 2023 GMT' with GNU [DBG] Computing '(1686355199-1669765988)/3600' (precision 0) [DBG] Hours until Jun 9 23:59:59 2023 GMT: 4608 [DBG] Computing '4608/24' (precision 0) [DBG] Computing '4608 * 3600' (precision 0) [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="*.mailbox.org", element="1"} 192 [DBG] valid for 192 days [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 (*.mailbox.org) [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 1 (*.mailbox.org) [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1 Certificate element 1 (*.mailbox.org) is valid for 192 days [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="*.mailbox.org", element="1"} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 1 [DBG] temporary file /tmp/jT7eLW created [DBG] Storing the chain element in /tmp/jT7eLW [DBG] Checking revocation via OCSP [DBG] extracting cert attribute issuer_hash [DBG] Issuer hash: 0feb9fd6 [DBG] extracting cert attribute issuer_uri [DBG] Chain element issuer URIs: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt [DBG] checking issuer URIs: http://cacerts.thawte.com/ThawteTLSRSACAG1.crt [DBG] OCSP: fetching issuer certificate http://cacerts.thawte.com/ThawteTLSRSACAG1.crt to /tmp/nD25wK [DBG] exec_with_timeout /usr/bin/curl -6 --silent --user-agent 'check_ssl_cert/2.55.0' --location \"http://cacerts.thawte.com/ThawteTLSRSACAG1.crt\" > /tmp/nD25wK [DBG] TIMEOUT_REASON = OCSP: fetching issuer http://cacerts.thawte.com/ThawteTLSRSACAG1.crt [DBG] executing with timeout (120s): /usr/bin/curl -6 --silent --user-agent 'check_ssl_cert/2.55.0' --location \"http://cacerts.thawte.com/ThawteTLSRSACAG1.crt\" > /tmp/nD25wK [DBG] start time = 1669765988 [DBG] /usr/bin/timeout 120 /bin/sh -c "/usr/bin/curl -6 --silent --user-agent 'check_ssl_cert/2.55.0' --location \"http://cacerts.thawte.com/ThawteTLSRSACAG1.crt\" > /tmp/nD25wK" [DBG] end time = 1669765988 [DBG] new timeout = 120 [DBG] OCSP: issuer certificate type (1): data [DBG] OCSP: issuer certificate type (2): data [DBG] OCSP: converting issuer certificate from DER to PEM [DBG] OCSP: issuer certificate type (3): PEM certificate [DBG] extracting cert attribute oscp_uri [DBG] OCSP: URIs = http://status.thawte.com [DBG] OCSP: URI = http://status.thawte.com [DBG] OCSP: host = status.thawte.com [DBG] openssl ocsp supports the -header option [DBG] /usr/bin/openssl ocsp -header requires 'key=value' [DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer /tmp/nD25wK -cert /tmp/jT7eLW -url http://status.thawte.com -header HOST=status.thawte.com [DBG] OCSP: response = Error querying OCSP responder [DBG] OCSP: not good. HTTP_PROXY = [DBG] executing /usr/bin/openssl ocsp -timeout "120" -no_nonce -issuer "/tmp/nD25wK" -cert "/tmp/jT7eLW" -url "http://status.thawte.com" "" 2>&1 [DBG] Error querying OCSP responder CRITICAL error: OCSP error (Error querying OCSP responder) [DBG] CRITICAL ---------------------------------------- [DBG] prepend_critical_message: new message = OCSP error (Error querying OCSP responder) [DBG] prepend_critical_message: CRITICAL_MSG = [DBG] prepend_critical_message: ALL_MSG 1 = [DBG] prepend_critical_message: MSG 2 = SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder) [DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder) [DBG] prepend_critical_message: ALL_MSG 2 = [DBG] SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder) [DBG] CRITICAL ---------------------------------------- [DBG] Timeout before OCSP check: 120 [DBG] Timeout after OCSP check: 119 OCSP check for element 1 OK [DBG] ------------------------------------------------------------------------------ [DBG] -- Checking element 2 [DBG] extracting cert attribute cn [DBG] Checking expiration date of element 2 (Thawte TLS RSA CA G1) [DBG] extracting cert attribute enddate [DBG] Validity date on cert element 2 (Thawte TLS RSA CA G1) is Nov 2 12:24:25 2027 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Nov 2 12:24:25 2027 GMT' with GNU [DBG] Computing '(1825158265-1669765989)/3600' (precision 0) [DBG] Hours until Nov 2 12:24:25 2027 GMT: 43164 [DBG] Computing '43164/24' (precision 0) [DBG] Computing '43164 * 3600' (precision 0) [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="*.mailbox.org", element="2"} 1798 [DBG] valid for 1798 days [DBG] Executing comparison '43164 < 4608' [DBG] bc result = 0 [DBG] returning 1 [DBG] Executing comparison '1798 < 192' [DBG] bc result = 0 [DBG] returning 1 [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 2 (Thawte TLS RSA CA G1) [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 2 (Thawte TLS RSA CA G1) [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 2 Certificate element 2 (Thawte TLS RSA CA G1) is valid for 1798 days [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="*.mailbox.org", element="2"} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 2 [DBG] temporary file /tmp/BC77jb created [DBG] Storing the chain element in /tmp/BC77jb [DBG] Checking revocation via OCSP [DBG] extracting cert attribute issuer_hash [DBG] Issuer hash: 607986c7 [DBG] extracting cert attribute issuer_uri Warning cannot find the CA Issuers in the certificate chain element 2: disabling OCSP checks on chain element 2 [DBG] ------------------------------------------------------------------------------ [DBG] extracting cert attribute email [DBG] EMAIL = The certificate was successfully verified [DBG] openssl_version 1.1.0 [DBG] Checking if OpenSSL version is at least 1.1.0 ( '1' '1' '0' ':0' ) [DBG] openssl version: 1.1.1f [DBG] Current version 1.1.1f ( '1' '1' '1' 'f:102' ) [DBG] true [DBG] Checking Signed Certificate Timestamps (SCTs) [DBG] extracting cert attribute sct The certificate contains signed certificate timestamps (SCT) Skipping maximum validity test for non HTTP protocols [DBG] cleaning up temporary files [DBG] [DBG] /tmp/vnkO3p [DBG] /tmp/S6KdC0 [DBG] /tmp/rhkYGI [DBG] /tmp/unPuqi [DBG] /tmp/Hx7HiW [DBG] /tmp/nD25wK [DBG] /tmp/GP70jS [DBG] /tmp/jT7eLW [DBG] /tmp/BC77jb [DBG] exiting with CRITICAL [DBG] ALL_MSG = [DBG] SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder) [DBG] number of errors = 1 SSL_CERT CRITICAL *.mailbox.org:pop3s: OCSP error (Error querying OCSP responder)|days_chain_elem1=192;20;15;; days_chain_elem2=1798;20;15;; lukas@htznr2:~$
--ignore-ocsp on the other hand fully disables OCSP and check_ssl_cert returns OK in this case.
--ignore-ocsp
Thanks. Should be fixed but cannot test anymore ....
Thank you!
Describe the bug
Despite running with
--ignore-ocsp-errors --ignore-ocsp-timeout
a OCSP error leads to a CRITICAL exit code.To Reproduce
check_ssl_cert --ignore-ocsp-errors --ignore-ocsp-timeout --protocol pop3s -6 -H pop3.mailbox.org -d -d -d -d -v
However I'd assume the actual OCSP error will be gone in a few hours.
Expected behavior
Actually ignore this OCSP error as per command line argument and return OK.
System (please complete the following information):
openssl version
): 1.1.1fAdditional context/output