some hosts of same domain get tried as IPv6 and therefore fail

[sblive]

Describe the bug

We check ~100 Hosts in a single domain. Some hosts of same domain get tried as IPv6 and therefore fail nmap (which doesn't have IPv6 support here) and then fail completely with "connection refused". Using "-d" reveals trying "nmap -6" which fails. Adding "-4" fixes it, but I don't get why some subdomains are different. None use IPv6 and the host does not support IPv6 anyway. If the host does not support IPv6, it should never be tried and a specific error should be shown.

To Reproduce

check_ssl_cert -H XXX

System (please complete the following information):

• OS: Gentoo Linux
• OS version: 6.1.52
• check_ssl_cert version: 2.73.0
• OpenSSL version (openssl version): 3.0.10

Additional context/output

[DBG] check_ssl_cert version: 2.73.0
[DBG] System info: Linux fileserver 6.1.52-gentoo #1 SMP PREEMPT_DYNAMIC Fri Sep  8 09:44:56 CEST 2023 x86_64 AMD EPYC 7443P 24-Core Processor AuthenticAMD GNU/Linux
[DBG] /etc/os-release:
[DBG]   NAME=Gentoo
[DBG]   ID=gentoo
[DBG]   PRETTY_NAME="Gentoo Linux"
[DBG]   ANSI_COLOR="1;32"
[DBG]   HOME_URL="https://www.gentoo.org/"
[DBG]   SUPPORT_URL="https://www.gentoo.org/support/"
[DBG]   BUG_REPORT_URL="https://bugs.gentoo.org/"
[DBG]   VERSION_ID="2.14"
[DBG] User: nagios
[DBG] Shell: /sbin/nologin
[DBG]   This account is currently not available.
[DBG] grep: /bin/grep
[DBG]   grep (GNU grep) 3.11
[DBG]   Copyright (C) 2023 Free Software Foundation, Inc.
[DBG]   License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG]   This is free software: you are free to change and redistribute it.
[DBG]   There is NO WARRANTY, to the extent permitted by law.
[DBG]   
[DBG]   Written by Mike Haertel and others; see
[DBG]   <https://git.savannah.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG]   
[DBG]   grep -P uses PCRE2 10.42 2022-12-11
[DBG] hostname: /bin/hostname
[DBG] $PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/lib64/subversion/bin
[DBG] Command line arguments: -v
[DBG]   TMPDIR = /tmp
[DBG] Required HTTP headers:   
[DBG] Unrequired HTTP headers: 
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 8.2.1 (x86_64-pc-linux-gnu) libcurl/8.2.1 OpenSSL/3.0.10 zlib/1.2.13 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.4 libssh2/1.11.0 nghttp2/1.52.0 librtmp/2.3
[DBG] Release-Date: 2023-07-26
[DBG] Protocols: dict file ftp ftps http https imap imaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps tftp ws wss
[DBG] Features: alt-svc AsynchDNS brotli HSTS HTTP2 HTTPS-proxy IDN IPv6 Largefile libz NTLM SSL threadsafe TLS-SRP UnixSockets zstd
[DBG] Proxy settings (after):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG]   s_client    =  
[DBG]   curl        =  
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host listed in /etc/hosts
[DBG] HOST = XXX
[DBG] SNI                 = 
[DBG] HOST_NAME           = XXX
[DBG] HOST_ADDR           = XXX
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if XXX is an IP address
[DBG] XXX is not an IP address
[DBG] HOST_IS_IP.         = 0
[DBG] Checking if XXX is an IP address
[DBG] XXX is not an IP address
[DBG] Adding XXX to NAMES_TO_BE_CHECKED
[DBG] NAMES_TO_BE_CHECKED = XXX
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 < 1296000' (precision 0)
[DBG]   bc result = 0
[DBG]   returning 1
[DBG] ROOT_CA = 
[DBG] mktemp available: /usr/bin/mktemp
[DBG] file version: file-5.45
[DBG] magic file from /usr/share/misc/magic
[DBG] seccomp support included
[DBG] nmap binary not specified
[DBG] nmap available: /usr/bin/nmap
[DBG] Hosts resolved to an IPv4 address with /etc/hosts
[DBG] perl available: /usr/bin/perl
[DBG] date available: /usr/bin/date
[DBG] checking date version
[DBG] date computation type: GNU
Found GNU date with timestamp support: enabling date computations
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 3.0.10 1 Aug 2023 (Library: OpenSSL 3.0.10 1 Aug 2023)
[DBG] built on: Sun Sep 10 20:03:42 2023 UTC
[DBG] platform: linux-x86_64
[DBG] options:  bn(64,64)
[DBG] compiler: x86_64-pc-linux-gnu-gcc -fPIC -pthread -m64 -Wa,--noexecstack -fdiagnostics-color=always -O3 -pipe -march=znver3 -mtune=znver3 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=512 -mmmx -mpopcnt -msse -msse2 -msse3 -mssse3 -msse4.1 -msse4.2 -mavx -mavx2 -msse4a -mno-fma4 -mno-xop -mfma -mno-avx512f -mbmi -mbmi2 -maes -mpclmul -mno-avx512vl -mno-avx512bw -mno-avx512dq -mno-avx512cd -mno-avx512er -mno-avx512pf -mno-avx512vbmi -mno-avx512ifma -mno-avx5124vnniw -mno-avx5124fmaps -mno-avx512vpopcntdq -mno-avx512vbmi2 -mno-gfni -mvpclmulqdq -mno-avx512vnni -mno-avx512bitalg -mno-avx512bf16 -mno-avx512vp2intersect -mno-3dnow -madx -mabm -mno-cldemote -mclflushopt -mclwb -mclzero -mcx16 -mno-enqcmd -mf16c -mfsgsbase -mfxsr -mno-hle -msahf -mno-lwp -mlzcnt -mmovbe -mno-movdir64b -mno-movdiri -mmwaitx -mno-pconfig -mno-pku -mno-prefetchwt1 -mprfchw -mno-ptwrite -mrdpid -mrdrnd -mrdseed -mno-rtm -mno-serialize -mno-sgx -msha -mshstk -mno-tbm -mno-tsxldtrk -mvaes -mno-waitpkg -mwbnoinvd -mxsave -mxsavec -mxsaveopt -mxsaves -mno-amx-tile -mno-amx-int8 -mno-amx-bf16 -mno-uintr -mno-hreset -mno-kl -mno-widekl -mno-avxvnni -fno-strict-aliasing -Wa,--noexecstack -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
[DBG] OPENSSLDIR: "/etc/ssl"
[DBG] ENGINESDIR: "/usr/lib64/engines-3"
[DBG] MODULESDIR: "/usr/lib64/ossl-modules"
[DBG] Seeding source: os-specific
[DBG] CPUINFO: OPENSSL_ia32cap=0x7eda320b078bffff:0x40068c219c97a9
[DBG] OpenSSL configuration directory: /etc/ssl
[DBG] 0 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername XXX
[DBG] Proxy settings (before):
[DBG]   http_proxy  = 
[DBG]   https_proxy = 
[DBG]   HTTP_PROXY  = 
[DBG]   HTTPS_PROXY = 
[DBG] '/usr/bin/openssl s_client' supports '-name': using YYY
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost XXX
[DBG] HOST_HEADER = XXX
[DBG] Testing connection with XXX:443
[DBG] Executing: '/usr/bin/nmap -6 --unprivileged -Pn -p 443 XXX'
[DBG]   I am afraid IPv6 is not available because your host doesn't support it or you chose to compile Nmap w/o IPv6 support.
[DBG]   QUITTING!
[DBG] /bin/grep -q "443.*open"
[DBG] cleaning up temporary files
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = 
[DBG] number of errors = 0
Cannot connect to XXX on port 443 

[matteocorti]

It's an error. I have to check why it's trying with IPv6 (was never the idea to switch automatically...)

[matteocorti]

Is the host listed in /etc/hosts? How?

[sblive]

no, none are listed in hosts, all come from same public DNS, as they are the same domain. doing an nslookup results in exactly 1 IPv4 address, so no difference to other targets which work.

Thanks! :)

[matteocorti]

Mmm then a check is wrong :-) as I see

Host listed in /etc/hosts

I check with

if "${GREP_BIN}" -q "[[:blank:]]${HOST}[[:blank:]]*$" /etc/hosts ; then

Can you please check again it maybe the host is mentioned in a comment? Or in as a part of another host?

[matteocorti]

I just pushed a new commit with some more debugging output (a43123c)

Can you please check what is printed after:

[DBG] Host listed in /etc/hosts as

[matteocorti]

Maybe I found a possible problem that I fixed with e817812 Can you please test it and let me know?

[sblive]

oh yes, it is mentioned in a comment, but not even that has an IPv6 (it's an old, valid entry with a # before) - so if that was the issue it should work now

[matteocorti]

Thanks, I'll release a new version with the fix