search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
360 stars 132 forks source link

Unable to resolve internal host with v2.66 #455

Closed matteocorti closed 1 year ago

matteocorti commented 1 year ago

Discussed in https://github.com/matteocorti/check_ssl_cert/discussions/454

Originally posted by **aquibkazi** April 24, 2023 Hello, We are planning to upgrade the check_ssl_cert from version 2.7 to latest (2.66) however we are facing problem resolving the check for an internal host which has self signed cert. If possible could you please review and advise. Thank You! **Successful with v2.7.0** [root@aws-rmc-03 kazi]# /usr/local/nagios/libexec/check_ssl_cert -V check_ssl_cert version 2.7.0 [root@aws-rmc-03 kazi]# /usr/local/nagios/libexec/check_ssl_cert -H hps-b.echoawsus.internal -p 3000 -u /api/v1.0/ping -s --ignore-host-cn -w 10 -c 5 SSL_CERT OK - x509 self signed certificate 'hps-b.echoawsus.internal' from 'hps-b.echoawsus.internal' valid until Jan 27 18:22:52 2025 GMT (expires in 644 days)|days_chain_elem1=644;10;5;; **Failed with v2.66** [root@ kazi]# /tmp/check_ssl_cert -V check_ssl_cert version 2.66.0 [root@ kazi]# /tmp/check_ssl_cert -H hps-b.echoawsus.internal -p 3000 -u /api/v1.0/ping -s --ignore-host-cn -w 10 -c 5 SSL_CERT CRITICAL: Cannot resolve hps-b.echoawsus.internal -Aquib Debug output **Successful with 2.7** [root@aws-rmc-03 kazi]# /usr/local/nagios/libexec/check_ssl_cert -H hps-b.echoawsus.internal -p 3000 -u /api/v1.0/ping -s --ignore-host-cn -w 10 -c 5 -v -d [DBG] Command line arguments: -H hps-b.echoawsus.internal -p 3000 -u /api/v1.0/ping -s --ignore-host-cn -w 10 -c 5 -v -d [DBG] SNI = [DBG] HOST_NAME = hps-b.echoawsus.internal [DBG] HOST_ADDR = hps-b.echoawsus.internal [DBG] COMMON_NAME = [DBG] COMMON_NAME = [DBG] -c specified: 5 [DBG] -w specified: 10 [DBG] ROOT_CA = [DBG] file version: file-5.11 [DBG] magic file from /etc/magic:/usr/share/misc/magic [DBG] cURL binary needed. SSL Labs = , OCSP = 1, CURL = [DBG] cURL binary not specified [DBG] cURL available: /bin/curl [DBG] curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.53.1 zlib/1.2.7 libidn/1.28 libssh2/1.8.0 [DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp [DBG] Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets [DBG] nmap binary not needed. No disallowed protocols [DBG] perl available: /bin/perl [DBG] date available: /bin/date [DBG] checking date version [DBG] date computation type: GNU found GNU date with timestamp support: enabling date computations [DBG] check_ssl_cert version: 2.7.0 [DBG] OpenSSL binary: /bin/openssl [DBG] OpenSSL info: [DBG] OpenSSL 1.0.2k-fips 26 Jan 2017 [DBG] built on: reproducible build, date unspecified [DBG] platform: linux-x86_64 [DBG] options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) [DBG] compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM [DBG] OPENSSLDIR: "/etc/pki/tls" [DBG] engines: rdrand dynamic [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 128 root certificates installed by default [DBG] System info: Linux aws-rmc-03 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/bin/openssl s_client' supports '-servername': using -servername hps-b.echoawsus.internal [DBG] '/bin/openssl s_client' supports '-name': using aws-rmc-03 [DBG] '/bin/openssl s_client' supports '-xmpphost': using -xmpphost hps-b.echoawsus.internal [DBG] temporary file /tmp/duCyBy created [DBG] temporary file /tmp/D8wVT7 created [DBG] temporary file /tmp/G4gqJK created [DBG] temporary file /tmp/q4vY8C created [DBG] temporary file /tmp/2HwK9k created [DBG] temporary file /tmp/ciocti created [DBG] temporary file /tmp/OZRQ8H created downloading certificate to /tmp [DBG] hps-b.echoawsus.internal is not an IP address [DBG] Adding -ign_eof to the options [DBG] fetch_certificate: PROTICOL = [DBG] executing with timeout (120s): printf 'HEAD /api/v1.0/ping HTTP/1.1\nHost: hps-b.echoawsus.internal\nUser-Agent: check_ssl_cert/2.7.0\nConnection: close\n\n' | /bin/openssl s_client -crlf -ign_eof -connect hps-b.echoawsus.internal:3000 -servername hps-b.echoawsus.internal -showcerts -verify 6 2> /tmp/D8wVT7 1> /tmp/duCyBy [DBG] start time = 1682354411 [DBG] /bin/timeout 120 /bin/sh -c "printf 'HEAD /api/v1.0/ping HTTP/1.1\nHost: hps-b.echoawsus.internal\nUser-Agent: check_ssl_cert/2.7.0\nConnection: close\n\n' | /bin/openssl s_client -crlf -ign_eof -connect hps-b.echoawsus.internal:3000 -servername hps-b.echoawsus.internal -showcerts -verify 6 2> /tmp/D8wVT7 1> /tmp/duCyBy" [DBG] end time = 1682354411 [DBG] new timeout = 120 [DBG] Return value of the command = 0 checking TLS renegotiation [DBG] checking TLS renegotiation [DBG] executing with timeout (120s): printf 'R\n' | /bin/openssl s_client -crlf -connect hps-b.echoawsus.internal:3000 2>&1 | grep -F -q err [DBG] start time = 1682354411 [DBG] /bin/timeout 120 /bin/sh -c "printf 'R\n' | /bin/openssl s_client -crlf -connect hps-b.echoawsus.internal:3000 2>&1 | grep -F -q err" [DBG] end time = 1682354411 [DBG] new timeout = 120 parsing the x509 certificate file [DBG] extracting cert attribute enddate [DBG] extracting cert attribute cn [DBG] extracting cert attribute subject [DBG] extracting cert attribute serial [DBG] extracting cert attribute fingerprint [DBG] extracting cert attribute oscp_uri_single [DBG] extracting cert attribute oscp_uri [DBG] Skipping 0 element of the chain [DBG] extracting cert attribute issuer [DBG] ISSUERS = [DBG] issuer= C = CA, ST = Ontario, L = Toronto, O = Echoworx Corporation, OU = Certificate Services, CN = hps-b.echoawsus.internal [DBG] ISSUERS = [DBG] O = Echoworx Corporation [DBG] CN = hps-b.echoawsus.internal [DBG] extracting cert attribute issuer_uri_single [DBG] extracting cert attribute issuer_uri [DBG] extracting cert attribute sig_algo [DBG] subject= C = CA, ST = Ontario, L = Toronto, O = Echoworx Corporation, OU = Certificate Services, CN = hps-b.echoawsus.internal [DBG] CN = hps-b.echoawsus.internal [DBG] CA = O = Echoworx Corporation [DBG] CA = CN = hps-b.echoawsus.internal [DBG] SERIAL = 8E48267ADDE53B8C [DBG] FINGERPRINT= 35:BF:6E:8B:E9:95:24:AC:29:42:F8:27:7D:76:50:B1:5C:AA:CB:3D [DBG] OCSP_URI = [DBG] ISSUER_URI = [DBG] Signature Algorithm: sha256WithRSAEncryption [DBG] extracting cert attribute subjectAlternativeName [DBG] subjectAlternativeName = [DBG] Checking expiration date [DBG] Number of certificates in CA chain: 1 [DBG] Skipping 0 element of the chain [DBG] ------------------------------------------------------------------------------ [DBG] extracting cert attribute cn [DBG] Checking expiration date of element 1 (hps-b.echoawsus.internal) [DBG] extracting cert attribute enddate [DBG] Validity date on cert element 1 (hps-b.echoawsus.internal) is Jan 27 18:22:52 2025 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Jan 27 18:22:52 2025 GMT' [DBG] Hours until Jan 27 18:22:52 2025 GMT: 15457 [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="hps-b.echoawsus.internal", element=1} 644 [DBG] valid for 644 days [DBG] executing: /bin/openssl x509 -noout -checkend 0 on cert element 1 (hps-b.echoawsus.internal) [DBG] executing: /bin/openssl x509 -noout -checkend 432000 on cert element 1 (hps-b.echoawsus.internal) [DBG] executing: /bin/openssl x509 -noout -checkend 864000 on cert element 1 [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="hps-b.echoawsus.internal", element=1} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 1 [DBG] temporary file /tmp/9tVuFI created [DBG] Storing the chain element in /tmp/9tVuFI [DBG] Checking revokation via OCSP [DBG] extracting cert attribute issuer_hash [DBG] Issuer hash: 789ad0a1 [DBG] extracting cert attribute issuer_uri cannot find the CA Issuers in the certificate: disabling OCSP checks on element 1 [DBG] Checking if the certificate was self signed [DBG] Self signed certificate [DBG] output parameters: CA_ISSUER_MATCHED = hps-b.echoawsus.internal [DBG] output parameters: CHECKEDNAMES = [DBG] output parameters: CN = hps-b.echoawsus.internal [DBG] output parameters: DATE = Jan 27 18:22:52 2025 GMT [DBG] output parameters: DAYS_VALID = (expires in 644 days) [DBG] output parameters: DYSPLAY_CN = 'hps-b.echoawsus.internal' [DBG] output parameters: OPENSSL_COMMAND = x509 [DBG] output parameters: SELFSIGNEDCERT = self signed [DBG] output parameters: SHORTNAME = SSL_CERT [DBG] output parameters: OCSP_EXPIRES_IN_HOURS = [DBG] output parameters: SSL_LABS_HOST_GRADE = SSL_CERT OK - x509 self signed certificate 'hps-b.echoawsus.internal' from 'hps-b.echoawsus.internal' valid until Jan 27 18:22:52 2025 GMT (expires in 644 days)|days_chain_elem1=644;10;5;; [DBG] cleaning up temporary files [DBG] [DBG] /tmp/duCyBy [DBG] /tmp/D8wVT7 [DBG] /tmp/G4gqJK [DBG] /tmp/q4vY8C [DBG] /tmp/2HwK9k [DBG] /tmp/ciocti [DBG] /tmp/OZRQ8H [DBG] /tmp/9tVuFI [root@ kazi]# **Failed with 2.66** [root@aws-rmc-03 kazi]# /tmp/check_ssl_cert -H hps-b.echoawsus.internal -p 3000 -u /api/v1.0/ping -s --ignore-host-cn -w 10 -c 5 -d -v [DBG] check_ssl_cert version: 2.66.0 [DBG] System info: Linux aws-rmc-03 3.10.0-1160.76.1.el7.x86_64 #1 SMP Wed Aug 10 16:21:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux [DBG] /etc/os-release: [DBG] NAME="CentOS Linux" [DBG] VERSION="7 (Core)" [DBG] ID="centos" [DBG] ID_LIKE="rhel fedora" [DBG] VERSION_ID="7" [DBG] PRETTY_NAME="CentOS Linux 7 (Core)" [DBG] ANSI_COLOR="0;31" [DBG] CPE_NAME="cpe:/o:centos:centos:7" [DBG] HOME_URL=https://www.centos.org/ [DBG] BUG_REPORT_URL=https://bugs.centos.org/ [DBG] [DBG] CENTOS_MANTISBT_PROJECT="CentOS-7" [DBG] CENTOS_MANTISBT_PROJECT_VERSION="7" [DBG] REDHAT_SUPPORT_PRODUCT="centos" [DBG] REDHAT_SUPPORT_PRODUCT_VERSION="7" [DBG] [DBG] User: root [DBG] Shell: /bin/bash [DBG] GNU bash, version 4.2.46(2)-release (x86_64-redhat-linux-gnu) [DBG] Copyright (C) 2011 Free Software Foundation, Inc. [DBG] License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html [DBG] [DBG] This is free software; you are free to change and redistribute it. [DBG] There is NO WARRANTY, to the extent permitted by law. [DBG] grep: /bin/grep [DBG] /bin/grep (GNU grep) 2.20 [DBG] Copyright (C) 2014 Free Software Foundation, Inc. [DBG] License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html. [DBG] This is free software: you are free to change and redistribute it. [DBG] There is NO WARRANTY, to the extent permitted by law. [DBG] [DBG] Written by Mike Haertel and others, see http://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS. [DBG] hostname: /bin/hostname [DBG] $PATH: /sbin:/bin:/usr/sbin:/usr/bin [DBG] Command line arguments: -H hps-b.echoawsus.internal -p 3000 -u /api/v1.0/ping -s --ignore-host-cn -w 10 -c 5 -d -v [DBG] TMPDIR = /tmp [DBG] Required HTTP headers: [DBG] Unrequired HTTP headers: [DBG] Checking if the host (hps-b.echoawsus.internal) exists [DBG] cleaning up temporary files [DBG] exiting with CRITICAL [DBG] ALL_MSG = [DBG] number of errors = 0 SSL_CERT CRITICAL: Cannot resolve hps-b.echoawsus.internal
matteocorti commented 1 year ago

The new check for the existence of the host just considers DNS and ignores /etc/hosts