Regression: Script fails for IPv6-only hostname without -6

[paulchen]

Describe the bug

When the script is invoked with a hostname that only resolves to an IPv6 address, but not to an IPv4 address (i.e. it does only have an AAAA record, but no A record), the script fails with error code 2 and the message SSL_CERT CRITICAL: Cannot resolve <hostname>. This only happens in case the parameter -6 is not used.

To Reproduce

./check_ssl_cert -H alpha6.rueckgr.at -p 443 -w 20 -c 10

Result: SSL_CERT CRITICAL: Cannot resolve alpha6.rueckgr.at

Expected behavior

The same result as when called with the parameter -6.

Expected result: SSL_CERT OK - alpha6.rueckgr.at:443, https, x509 certificate 'rueckgr.at' (alpha6.rueckgr.at) from 'Let's Encrypt' valid until May 25 02:11:41 2023 GMT (expires in 48 days)|days_chain_elem1=48;20;10;; days_chain _elem2=892;20;10;; days_chain_elem3=542;20;10;;

System:

• OS: Debian GNU/Linux
• OS version: 11.6
• check_ssl_cert version: Git revision 64abe422e43a624902a105e13a107aeaa104338a (--version yields 2.63.0)
• OpenSSL version: OpenSSL 1.1.1n 15 Mar 2022

Additional context/output

The source of the problem is located in the fix for #449 which replaced nslookup by host for checking whether the given hostname can be resolved to an IP address: https://github.com/matteocorti/check_ssl_cert/blob/master/check_ssl_cert#L4206-L4218

In the case of an IPv6-only hostname, the output of host looks like this:

# host alpha6.rueckgr.at
alpha6.rueckgr.at has IPv6 address 2a01:4f8:110:12d5::2
alpha6.rueckgr.at mail is handled by 10 mail.rueckgr.at.

However, the script only checks for the string has address if neither -4 nor -6 are given. host outputs has address only if an A record is present.

Maybe fixing this is as easy as grepping for something like has (IPv6 )?address in line 4215.

The problem does not yet occur in Git revision 0a4acc26cc62d8a68660c1824d3dae9d8b0a2459.

[matteocorti]

Sorry I forgot about this case ...

[paulchen]

@matteocorti Thank you very much for fixing this so quickly!