search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
360 stars 132 forks source link

Can not resolve hostname in environments without public DNS Access #457

Closed tuxracer1337 closed 1 year ago

tuxracer1337 commented 1 year ago

Dear Matteo,

we tested the new version 2.68 on additional systems and our customer found an issue depending on https://github.com/matteocorti/check_ssl_cert/issues/455

Since this change the script try to verify a DNS entry for a host is available at the beginning of the script. This only works in environments with access to public DNS resolvers.

But it fails in a secured environment with access to the internet only allowed by proxies like this:

'/usr/lib64/nagios/plugins/check_ssl_cert' '--ignore-connection-problems' '--ignore-tls-renegotiation' '--no-perf' '--proxy' 'myfancy.proxy.server:3128' '--tls1_2' '-H' 'my.fancy.website' '-c' '7' '-i' 'FNCY CA 3' '-p' '443' '-w' '21' 

[DBG] exiting with CRITICAL [DBG] ALL_MSG = [DBG] number of errors = 0 SSL_CERT CRITICAL: Cannot resolve my.fancy.website

Only the proxy can resolve the hostname, the DNS inside the environment can't resolve my.fancy.website. Did you need more details?

best regards

Andreas

matteocorti commented 1 year ago

I see only two options if a proxy is used and DNS is not working:

curl -H "Content-Type: application/dns-json" "https://dns.google.com/resolve?name=www.google.com&type=A"
matteocorti commented 1 year ago

I just committed a version with an option to skip the check. I'll take a look at the second option tomorrow

matteocorti commented 1 year ago

I implemented both:

matteocorti commented 1 year ago

Dear Andreas, As I don't have a proxy to test it. Can you please give a short feedback is one of the two options is solving your problem?

tuxracer1337 commented 1 year ago

HI,

thx i 'll try it and send you a feedback.

tuxracer1337 commented 1 year ago

Dear Matteo

we tried "--do-not-resolve", ut did not work.

[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1\nHost: fancyhost.domain.ch\nUser-Agent: check_ssl_cert/2.69.0\nConnection: close\n\n' | /usr/bin/openssl s_client     -crlf  -connect fancyhost.domain.ch:443 -servername fancyhost.domain.ch   -showcerts -verify 6  -tls1_2     -legacy_renegotiation 2> /tmp/9WLhhY 1> /tmp/UmvBH5"
[DBG]   end time = 1683911193
[DBG]   new timeout = 120
[DBG] Return value of the command = 1
[DBG] SSL error: verify depth is 6
[DBG] SSL error: 140661354600256:error:2008F002:BIO routines:BIO_lookup_ex:system lib:crypto/bio/b_addr.c:730:Name or service not known
[DBG] SSL error: connect:errno=0
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = fancyhost.domain.ch is not a valid hostname

While getting the cert no proxy is used.

It looks like the problems depends on the fact, you want to use the variable OPENSSL in line 4290. But the initialization is at line 4642 (both inside the main()-routine)

Muchos Saludos Andreas

matteocorti commented 1 year ago

Thanks, the GREP_BIN variable has the same problem.

matteocorti commented 1 year ago

I fixed both, can you please test again?

tuxracer1337 commented 1 year ago

HI Matteo

Our the first shot: now it works BUT without "--do-not-resolve". I wanna tell you more details, if we locate the issue.

matteocorti commented 1 year ago

Can you post the debugging output? (if you would rather not publish it, you can also send it to me per email).

tuxracer1337 commented 1 year ago

HI,

I guess it was a mistake on our side. Works as designed :) with --do-not-resolve

tuxracer1337 commented 1 year ago

HI Matteo,

I downloaded the latest 2.69 but the fix is not available there. It's possible to release a 2.70 with the fix for our rollout?

matteocorti commented 1 year ago

Dear Andreas, I just released version 2.70.0