search

matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
360 stars 132 forks source link

--resolve doesn't appear to be working #464

Closed nickjwest closed 12 months ago

nickjwest commented 1 year ago

I have recently updated to 2.70 from a 2.3.7 older version, and the --resolve option doesn't appear to be working, even though it is the same option as in the help.

A clear and concise description of what the bug is.

The --resolve option doesn't appear to be working, or is behaving differently from earlier versions.

Steps to reproduce the behavior.

I ran the same command i old and new versions, and the --resolve worked as expected in the older version, but didn't work in new.

A clear and concise description of what you expected to happen.

System (please complete the following information):

Running on Ubuntu 20.4

Additional context/output

matteocorti commented 1 year ago

Can you please submit the output with --debug?

nickjwest commented 1 year ago

./check_ssl_cert.bkp -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99 SSL_CERT OK - x509 certificate 'rewards.britishgas.co.uk' from 'DigiCert TLS RSA SHA256 2020 CA1' valid until Nov 22 23:59:59 2023 GMT (expires in 118 days)|days_chain_elem1=118;20;10;; days_chain_elem2=3027;20;10;; days_chain_elem3=2817;20;10;; ./check_ssl_cert.bkp -V check_ssl_cert version 2.3.7

/check_ssl_cert -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99 SSL_CERT CRITICAL: Cannot resolve rewards.britishgas.co.uk ./check_ssl_cert -V check_ssl_cert version 2.70.0

nickjwest commented 1 year ago

./check_ssl_cert -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99 --debug [DBG] check_ssl_cert version: 2.70.0 [DBG] System info: Linux win-netmon-002 5.4.0-155-generic #172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux [DBG] /etc/os-release: [DBG] NAME="Ubuntu" [DBG] VERSION="20.04.6 LTS (Focal Fossa)" [DBG] ID=ubuntu [DBG] ID_LIKE=debian [DBG] PRETTY_NAME="Ubuntu 20.04.6 LTS" [DBG] VERSION_ID="20.04" [DBG] HOME_URL=https://www.ubuntu.com/ [DBG] SUPPORT_URL=https://help.ubuntu.com/ [DBG] BUG_REPORT_URL=https://bugs.launchpad.net/ubuntu/ [DBG] PRIVACY_POLICY_URL=https://www.ubuntu.com/legal/terms-and-policies/privacy-policy [DBG] VERSION_CODENAME=focal [DBG] UBUNTU_CODENAME=focal [DBG] User: Windsor [DBG] Shell: /bin/bash [DBG] GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu) [DBG] Copyright (C) 2019 Free Software Foundation, Inc. [DBG] License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html [DBG] [DBG] This is free software; you are free to change and redistribute it. [DBG] There is NO WARRANTY, to the extent permitted by law. [DBG] grep: /bin/grep [DBG] grep (GNU grep) 3.4 [DBG] Copyright (C) 2020 Free Software Foundation, Inc. [DBG] License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html. [DBG] This is free software: you are free to change and redistribute it. [DBG] There is NO WARRANTY, to the extent permitted by law. [DBG] [DBG] Written by Mike Haertel and others; see [DBG] https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS. [DBG] hostname: /bin/hostname [DBG] $PATH: /omd/sites/Windsor/lib/perl5/bin:/omd/sites/Windsor/local/bin:/omd/sites/Windsor/bin:/omd/sites/Windsor/local/lib/perl5/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin [DBG] Command line arguments: -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99 --debug [DBG] TMPDIR = /tmp [DBG] Required HTTP headers: [DBG] Unrequired HTTP headers: [DBG] curl binary not needed. SSL Labs = , OCSP = [DBG] Proxy settings (after): [DBG] http_proxy = [DBG] https_proxy = [DBG] HTTP_PROXY = [DBG] HTTPS_PROXY = [DBG] s_client = [DBG] curl = [DBG] Checking if the host is listed in /etc/hosts [DBG] Host not found in /etc/hosts: checking DNS [DBG] Checking if the host (rewards.britishgas.co.uk) exists [DBG] Cannot resolve rewards.britishgas.co.uk [DBG] cleaning up temporary files [DBG] exiting with CRITICAL [DBG] ALL_MSG = [DBG] number of errors = 0 SSL_CERT CRITICAL: Cannot resolve rewards.britishgas.co.uk

matteocorti commented 1 year ago

Thanks, I am away until the end of next week, but I'll try to take a look sooner.

matteocorti commented 1 year ago

Strange with 2.70 I get 

[...]
[DBG] Adding rewards.britishgas.co.uk to the host cache
[DBG] Forcing rewards.britishgas.co.uk to resolve to 18.165.201.99
[DBG] SNI                 = rewards.britishgas.co.uk
[DBG] HOST_NAME           = rewards.britishgas.co.uk
[DBG] HOST_ADDR           = 18.165.201.99
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if rewards.britishgas.co.uk is an IP address
[DBG] rewards.britishgas.co.uk is not an IP address
[DBG] HOST_IS_IP.         = 0
[DBG] Checking if rewards.britishgas.co.uk is an IP address
[DBG] rewards.britishgas.co.uk is not an IP address
[DBG] Adding rewards.britishgas.co.uk to NAMES_TO_BE_CHECKED
[DBG] NAMES_TO_BE_CHECKED = rewards.britishgas.co.uk
[...]
nickjwest commented 1 year ago

Can you confirm the installation as i am just running the script as is. i.e i downloaded and upzipped and copied out the check_ssl_cert piece

nickjwest commented 1 year ago

Interesting. I just copied the raw into a script and works fine.

matteocorti commented 1 year ago

Interesting. I just copied the raw into a script and works fine.

Strange. Are the files different? Maybe line termination? I am puzzled as the script runs...

nickjwest commented 1 year ago

Indeed. I am going to copy over the one i have working in my lab. Maybe a red herring..!?

matteocorti commented 12 months ago

Did the file that is not working come from the tarball or an RPM?

nickjwest commented 12 months ago

I copied the script working from my home lab to my work server, and indeed doesn't work. I think this is probably being caused by split DNS, and the script ending before it reaches the --resolve option. We cannot resolve the host internally, and only works with the --resolve option...or at least did in the old version 2.3.7. My home lab will just use external DNS straight away.

nickjwest commented 12 months ago

With the 2.3.7, i am guessing the resolve part is coming before the host lookup, and because 2.70 its trying to find a local lookup, which doesn't exist, and is exiting before the --resolve part option is reached. I am not a great script writer, but those are what it seems to indicate me logically.

matteocorti commented 12 months ago

Thanks for the analysis. As soon as I can use my laptop, I'll take a look.

matteocorti commented 12 months ago

My fault, I only check if --do-not-resolve is specified to skip the resolve tests.

matteocorti commented 12 months ago

I will release a new version that should address the issue, but I cannot test in a real environment. Can you please let me know if it solves the problem?

nickjwest commented 12 months ago

Many thanks for your time on this. I will download and test and revert back.