When the script is invoked with a hostname that only resolves to an IPv6 address, but not to an IPv4 address (i.e. it does only have an AAAA record, but no A record), the script fails with error code 2 and the message SSL_CERT CRITICAL: Cannot resolve <hostname>. This only happens in case the parameter -6 is not used.
Describe the bug
When the script is invoked with a hostname that only resolves to an IPv6 address, but not to an IPv4 address (i.e. it does only have an AAAA record, but no A record), the script fails with error code 2 and the message
SSL_CERT CRITICAL: Cannot resolve <hostname>
. This only happens in case the parameter-6
is not used.To Reproduce
./check_ssl_cert -H alpha6.rueckgr.at -p 443 -w 20 -c 10
Result:
SSL_CERT CRITICAL: Cannot resolve alpha6.rueckgr.at
Expected behavior
The same result as when called with the parameter
-6
.Expected result:
SSL_CERT OK - alpha6.rueckgr.at:443, https, x509 certificate 'rueckgr.at' (alpha6.rueckgr.at) from 'Let's Encrypt' valid until May 25 02:11:41 2023 GMT (expires in 48 days)|days_chain_elem1=48;20;10;; days_chain _elem2=892;20;10;; days_chain_elem3=542;20;10;;
System:
64abe422e43a624902a105e13a107aeaa104338a
(--version
yields2.63.0
)OpenSSL 1.1.1n 15 Mar 2022
Additional context/output
The source of the problem is located in the fix for #449 which replaced
nslookup
byhost
for checking whether the given hostname can be resolved to an IP address: https://github.com/matteocorti/check_ssl_cert/blob/master/check_ssl_cert#L4206-L4218In the case of an IPv6-only hostname, the output of
host
looks like this:However, the script only checks for the string
has address
if neither-4
nor-6
are given.host
outputshas address
only if an A record is present.Maybe fixing this is as easy as grepping for something like
has (IPv6 )?address
in line 4215.The problem does not yet occur in Git revision
0a4acc26cc62d8a68660c1824d3dae9d8b0a2459
.