search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
360 stars 132 forks source link

CSR is not a DEM #456

Closed tuxracer1337 closed 1 year ago

tuxracer1337 commented 1 year ago

Dear Matteo,

we found the following issue in the latest versions

While running a command like this:

'/usr/lib64/nagios/plugins/check_ssl_cert' '--ignore-connection-problems' '--ignore-maximum-validity' '--ignore-sct' '--ignore-tls-renegotiation' '--no-perf' '--tls1_2' '-H' 'myFancyHost' '-c' '7' '-i' 'Corp-Root-CA-G2' '-m' 'myFancyHost' '-p' '443' '-w' '21' --crl --debug --rootcert-file /path/to/Corp-Root-CA-G2.pem 2>&1

it does not run successful, because the CRL isn't a DEM certificate, but check_ssl_cert guesses each CRL is a DEM and want to convert it to PEM. If we change the code to something like this at line 1821


        # convert DER to
        #debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
        #"${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"
        CRL_TMP_PEM=${CRL_TMP_DER}

no error occurs for our CRL.

It's important to have a PEM each time? A better solution could me:

What did you think about, do you have a better solution for this case?

Best regards Andreas

matteocorti commented 1 year ago

I will fix it as soon as I get some time.

matteocorti commented 1 year ago

I really have no idea why I assumed that the CRL should always be in DER format

matteocorti commented 1 year ago

Can you please test with the latest commit?

tuxracer1337 commented 1 year ago

"Huston, we still having problems"

I tested the new version with the following results:

Related debug ERROR

[DBG] cat /tmp/R5q0uM /tmp/w39vxh /etc/pki/ca-trust/source/anchors/Corp-Root-CA-G2.pem > /tmp/Q0QwUv
[DBG] /usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod
[DBG]   result:
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = certificate element 1 is revoked (CRL)
[DBG] prepend_critical_message: CRITICAL_MSG   =
[DBG] prepend_critical_message: ALL_MSG 1      =
[DBG] prepend_critical_message: MSG 2          = SSL_CERT CRITICAL my.domain.ch: certificate element 1 is revoked (CRL)
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL my.domain.ch: certificate element 1 is revoked (CRL)
[DBG] prepend_critical_message: ALL_MSG 2      = \n    SSL_CERT CRITICAL my.domain.ch: certificate element 1 is revoked (CRL)
[DBG] CRITICAL ----------------------------------------
[DBG] ------------------------------------------------------------------------------

I stopped deleting tmp files in the script (line 731) to have all files available after script run.

fancyhost:/tmp # for i in $(cd /tmp ; find . -type f -mmin -10 ); do ls -la $i ; done
-rw------- 1 root root 2366 Apr 27 12:39 ./ekqa2d
-rw------- 1 root root 310 Apr 27 12:39 ./SJfeid
-rw------- 1 root root 2468 Apr 27 12:39 ./OGVoYa
-rw------- 1 root root 2468 Apr 27 12:39 ./D8uvgJ
-rw------- 1 root root 7257 Apr 27 12:44 ./w39vxh >>>>> is not empty
-rw------- 1 root root 310 Apr 27 12:44 ./A0wjMy
-rw------- 1 root root 1074 Apr 27 12:44 ./gIF5Qe
-rw------- 1 root root 2468 Apr 27 12:44 ./t75HfY
-rw------- 1 root root 7257 Apr 27 12:39 ./kevzYi
-rw------- 1 root root 0 Apr 27 12:44 ./R5q0uM   >>>> IS EMPTY
-rw------- 1 root root 1074 Apr 27 12:39 ./jVMDY6
-rw------- 1 root root 9444 Apr 27 12:44 ./Q0QwUv >>> Is the summary of R5q0uM and w39vxh BUR R5q0uM is empty
-rw------- 1 root root 2366 Apr 27 12:39 ./svJ6gG
-rw------- 1 root root 2222 Apr 27 12:39 ./TthFtv
-rw------- 1 root root 2468 Apr 27 12:44 ./lpehUG
-rw------- 1 root root 2222 Apr 27 12:44 ./hWLyNA
-rw------- 1 root root 0 Apr 27 12:39 ./sQm3hz
-rw------- 1 root root 0 Apr 27 12:39 ./CdQp46
-rw------- 1 root root 0 Apr 27 12:44 ./y3x5jv
-rw------- 1 root root 2366 Apr 27 12:44 ./RMArft
-rw------- 1 root root 9444 Apr 27 12:39 ./rRM4rF
-rw------- 1 root root 2366 Apr 27 12:44 ./MYvJod

Here an exclusive view for both files:

#### File /tmp/R5q0uM ####
-rw------- 1 root root 0 Apr 27 12:44 /tmp/R5q0uM
#### Whats inside? ####
/tmp/R5q0uM: empty

#### File /tmp/MYvJod ####
-rw------- 1 root root 2366 Apr 27 12:44 /tmp/MYvJod
#### Whats inside? ####
/tmp/MYvJod: PEM certificate

#### Run /usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod
unable to load CRLs

RESULT: unable to load CRLs is the error of the openssl command But the DEBUG Output is also "wrong"

The command is not "/usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod" The code looks like this:

      CRL_RESULT=$(
            "${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
                "${GREP_BIN}" -F ':' |
                head -n 1 |
                sed 's/^.*: //'
        )

But running the correct command also fail with the same message, as you can see here:

fancyhost: # /usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod | grep -F ':' | head -n 1 | sed 's/^.*: //'
unable to load CRLs

And nobody knows the real error because of this if-case:

        if ! [ "${CRL_RESULT}" = 'OK' ]; then
            prepend_critical_message "certificate element ${el_number} is revoked (CRL)"
        fi

    else

in CL_RESULT we have "unable to load CRLs" and not "OK" so we got the element is revoked error.

This looks "strange" for me, because "unable to load CRLs" is not the same like "CLR is revoked". What did you mean about this?

best regards Andreas

sitzmoebelchronograph commented 1 year ago

Update

The issue occurres because of: line 1847

The CLR tmp file is only available if the CLR is a DEM file if not, it does not work correctly.

With an additional IF Cases around line 1847 the problem should be solved.

best regards

matteocorti commented 1 year ago

Should be fixed.

sitzmoebelchronograph commented 1 year ago

Yes, looks good. Thank you!

matteocorti commented 1 year ago

Just released a new version with the fix