matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
371 stars 132 forks source link

Error: verify depth is 6 - SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned #481

Closed braulio-martinez closed 1 year ago

braulio-martinez commented 1 year ago

Hi..!! How you doing.. Could you please give me a hand this issue..? I can't verify the if the Certicifate status with the command below. This same issue I have it with another 3 sites, each one with their Certicifates about to expire in 1 year.

Please let me know if you will need more information or the script that I'm using now. Thanks a lot in advance. Best Regards.

Braulio M.

.- Path: /usr/local/nagios/libexec/check_ssl_cert-1.65.0

.- Command: $USER1$/check_ssl_cert-1.65.0/check_ssl_cert -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp

.- Error Message: [DBG] storing a copy of the OpenSSL errors in sigges-training.fonasa.cl.error Error: verify depth is 6 SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

.- Debug: [root@foprd01nagiosin check_ssl_cert-1.65.0]# check_ssl_cert-1.65.0/check_ssl_cert -d -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp -bash: check_ssl_cert-1.65.0/check_ssl_cert: No existe el fichero o el directorio [root@foprd01nagiosin check_ssl_cert-1.65.0]# ./check_ssl_cert -d -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp [DBG] ROOT_CA = -CApath /etc/ssl/certs/ expect available (/usr/bin/expect) timeout available (/usr/bin/timeout) [DBG] perl available: /usr/bin/perl [DBG] date available: /bin/date found GNU date with timestamp support: enabling date computations [DBG] check_ssl_cert version: 1.65.0 [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013 [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 171 root certificates installed by default [DBG] System info: Linux foprd01nagiosin.fonasa.local 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername sigges-training.fonasa.cl '/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute downloading certificate to /tmp [DBG] sigges-training.fonasa.cl is not an IP address [DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client -connect sigges-training.fonasa.cl:443 -servername sigges-training.fonasa.cl -verify 6 -CApath /etc/ssl/certs/ 2> /tmp/check_ssl_cert856tv3 1> /tmp/check_ssl_certHgUuas [DBG] /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client -connect sigges-training.fonasa.cl:443 -servername sigges-training.fonasa.cl -verify 6 -CApath /etc/ssl/certs/ 2> /tmp/check_ssl_cert856tv3 1> /tmp/check_ssl_certHgUuas" [DBG] storing a copy of the retrieved certificate in sigges-training.fonasa.cl.crt [DBG] storing a copy of the OpenSSL errors in sigges-training.fonasa.cl.error Error: verify depth is 6 SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

.- Testing URL with curl: [root@foprd01nagiosin check_ssl_cert-1.65.0]# curl -v sigges-training.fonasa.cl

.- Nagios Error: SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

.- Certicifate Information: Nombre común (CN) GeoTrust EV RSA CA G2 Organización (O) DigiCert Inc Issued el Thursday, 21 de septiembre de 2023, 21:00:00 Expires el Tuesday, 24 de septiembre de 2024, 20:59:59

.- Operating System: CentOS 6 [x86_64] 2.6.32-696.6.3.el6.x86_64

matteocorti commented 1 year ago

You are using a very old version. Please upgrade and check if it's working.

braulio-martinez commented 1 year ago

Hi . Thanks for your reply. I've installed the latest version from your site.

[DBG] ALL_MSG = \n SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate) [DBG] number of errors = 1 SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)|days_chain_elem1=320;20;15;;

.- Command used: [root@foprd01nagiosin libexec]# check_ssl_cert-2.76.0/check_ssl_cert -f /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt -d -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp

[DBG] Converting 15 days into seconds by shell function [DBG] Converted 15 days into seconds: 1296000 [DBG] Converting 20 days into seconds by shell function [DBG] Converted 20 days into seconds: 1728000 [DBG] check_ssl_cert version: 2.76.0 [DBG] System info: Linux foprd01nagiosin.fonasa.local 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [DBG] User: root [DBG] Shell: /bin/bash [DBG] GNU bash, versión 4.1.2(2)-release (x86_64-redhat-linux-gnu) [DBG] Copyright (C) 2009 Free Software Foundation, Inc. [DBG] Licencia GPLv3+: GPL de GNU versión 3 o posterior http://gnu.org/licenses/gpl.html [DBG] [DBG] Esto es software libre; usted es libre de cambiarlo y redistribuirlo. [DBG] NO hay GARANTÍA, a la extensión permitida por la ley. [DBG] grep: /bin/grep [DBG] /bin/grep (GNU grep) 2.20 [DBG] Copyright (C) 2014 Free Software Foundation, Inc. [DBG] Licencia GPLv3+: GPL de GNU versión 3 o posterior [DBG] http://gnu.org/licenses/gpl.html [DBG] Esto es software libre: usted es libre de cambiarlo y redistribuirlo. [DBG] No hay NINGUNA GARANTÍA, hasta donde permite la ley. [DBG] Escrito por Mike Haertel y otros, véase http://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS. [DBG] hostname: /bin/hostname [DBG] $PATH: /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin [DBG] Command line arguments: -f /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt -d -c 15 -w 20 -H sigges-training.fonasa.cl -r /etc/ssl/certs/ -A --ignore-ocsp [DBG] TMPDIR = /tmp [DBG] Required HTTP headers: [DBG] Unrequired HTTP headers: [DBG] curl binary not needed. SSL Labs = , OCSP = [DBG] Proxy settings (after): [DBG] http_proxy = [DBG] https_proxy = [DBG] HTTP_PROXY = [DBG] HTTPS_PROXY = [DBG] s_client = [DBG] curl = [DBG] Checking if the host is listed in /etc/hosts [DBG] Host not found in /etc/hosts: checking DNS [DBG] Checking if the host (sigges-training.fonasa.cl) exists [DBG] HOST = sigges-training.fonasa.cl [DBG] SNI = [DBG] HOST_NAME = sigges-training.fonasa.cl [DBG] HOST_ADDR = sigges-training.fonasa.cl [DBG] NAMES_TO_BE_CHECKED = [DBG] Checking if sigges-training.fonasa.cl is an IP address [DBG] sigges-training.fonasa.cl is not an IP address [DBG] HOST_IS_IP. = 0 [DBG] NAMES_TO_BE_CHECKED = [DBG] Root CA option = -CApath /etc/ssl/certs/ [DBG] /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt is an URI with an authority [DBG] -c specified: 15 [DBG] -w specified: 20 [DBG] Executing comparison '1728000 < 1296000' (precision 0) [DBG] bc result = 0 [DBG] returning 1 [DBG] ROOT_CA = -CApath /etc/ssl/certs/ [DBG] mktemp available: /bin/mktemp [DBG] file version: file-5.04 [DBG] magic file from /etc/magic:/usr/share/misc/magic [DBG] nmap binary not specified [DBG] nmap available: /usr/bin/nmap [DBG] Checking IPs: host sigges-training.fonasa.cl [DBG] perl available: /usr/bin/perl [DBG] date available: /bin/date [DBG] checking date version [DBG] date computation type: GNU [DBG] OpenSSL binary: /usr/bin/openssl [DBG] OpenSSL info: [DBG] OpenSSL 1.0.1e-fips 11 Feb 2013 [DBG] built on: Wed Mar 22 21:43:28 UTC 2017 [DBG] platform: linux-x86_64 [DBG] options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) [DBG] compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM [DBG] OPENSSLDIR: "/etc/pki/tls" [DBG] engines: rdrand dynamic [DBG] OpenSSL configuration directory: /etc/pki/tls [DBG] 171 root certificates installed by default [DBG] Date computation: GNU [DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername sigges-training.fonasa.cl [DBG] Proxy settings (before): [DBG] http_proxy = [DBG] https_proxy = [DBG] HTTP_PROXY = [DBG] HTTPS_PROXY = [DBG] HOST_HEADER = sigges-training.fonasa.cl [DBG] Sanity checks: OK [DBG] temporary file /tmp/fRABZc created [DBG] temporary file /tmp/HY1u9T created [DBG] temporary file /tmp/UhJY3P created [DBG] temporary file /tmp/nrIgWK created [DBG] temporary file /tmp/8fKKHD created [DBG] Temporary files created [DBG] sigges-training.fonasa.cl is not an IP address [DBG] fetch_certificate: PROTOCOL = [DBG] check if we have to convert the file /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt to PEM [DBG] certificate type (1): ASCII text, with CRLF line terminators [DBG] temporary file /tmp/VuZlaw created [DBG] Copying the certificate to /tmp/fRABZc [DBG] storing the certificate to /tmp/fRABZc [DBG] certificate type (2): ASCII text, with CRLF line terminators [DBG] Certificate does not contain any intermediates, checking the chain will probably fail. [DBG] verifying the certificate [DBG] /usr/bin/openssl verify -CApath /etc/ssl/certs/ /tmp/fRABZc 2> /tmp/HY1u9T 1>&2 [DBG] Return value of the command = 2 [DBG] MESSAGE_TMP= [DBG] SSL error: /tmp/fRABZc: 1.3.6.1.4.1.311.60.2.1.3 = CL, businessCategory = Government entity, serialNumber = Government Entity, C = CL, L = Santiago, O = FONDO NACIONAL DE SALUD, CN = sigges-training.fonasa.cl [DBG] SSL error: error 20 at 0 depth lookup:unable to get local issuer certificate [DBG] CRITICAL ---------------------------------------- [DBG] prepend_critical_message: new message = Error verifying the certificate chain (missing local issuer certificate) [DBG] prepend_critical_message: CRITICAL_MSG = [DBG] prepend_critical_message: ALL_MSG 1 = [DBG] prepend_critical_message: MSG 2 = SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate) [DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate) [DBG] prepend_critical_message: ALL_MSG 2 = \n SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate) [DBG] CRITICAL ---------------------------------------- [DBG] openssl_version 3.0.0 [DBG] Checking if OpenSSL version is at least 3.0.0 ( '3' '0' '0' ':0' ) [DBG] openssl version: OpenSSL 1.0.1e-fips 11 Feb 2013 [DBG] Current version 1.0.1e ( '1' '0' '1' 'e:101' ) [DBG] false [DBG] extracting cert attribute enddate [DBG] extracting cert attribute startdate [DBG] extracting cert attribute cn [DBG] extracting cert attribute subject [DBG] SUBJECT = subject= 1.3.6.1.4.1.311.60.2.1.3 = CL, businessCategory = Government entity, serialNumber = Government Entity, C = CL, L = Santiago, O = FONDO NACIONAL DE SALUD, CN = sigges-training.fonasa.cl [DBG] extracting cert attribute serial [DBG] SERIAL = 0E479947CE2B0244436F02B9AAAEE87C [DBG] extracting cert attribute version [DBG] X509_VERSION = 3 (0x2) [DBG] extracting cert attribute fingerprint [DBG] FINGERPRINT = A2:72:29:D6:76:EF:42:FE:D2:26:2A:00:BB:41:17:01:18:90:8B:1B [DBG] Checking if x509 supports the -ext option [DBG] extracting cert attribute oscp_uri_single [DBG] extracting cert attribute oscp_uri [DBG] OCSP_URI = http://ocsp.digicert.com [DBG] Extracting issuers [DBG] Number of certificates in the chain: 1 [DBG] Checking certificate chain [DBG] extracting issuer for element 1 [DBG] extracting cert attribute issuer [DBG] ELEMENT_ISSUER=DigiCert Inc [DBG] ELEMENT_ISSUER=GeoTrust EV RSA CA G2 [DBG] ISSUERS=DigiCert Inc [DBG] ISSUERS=GeoTrust EV RSA CA G2 [DBG] Certificate chain check finished [DBG] ISSUERS = [DBG] DigiCert Inc [DBG] GeoTrust EV RSA CA G2 [DBG] extracting cert attribute issuer_uri_single [DBG] extracting cert attribute issuer_uri [DBG] extracting cert attribute pub_key_algo [DBG] extracting cert attribute sig_algo [DBG] subject= 1.3.6.1.4.1.311.60.2.1.3 = CL, businessCategory = Government entity, serialNumber = Government Entity, C = CL, L = Santiago, O = FONDO NACIONAL DE SALUD, CN = sigges-training.fonasa.cl [DBG] CN = sigges-training.fonasa.cl [DBG] CA = DigiCert Inc [DBG] CA = GeoTrust EV RSA CA G2 [DBG] SERIAL = 0E479947CE2B0244436F02B9AAAEE87C [DBG] FINGERPRINT= A2:72:29:D6:76:EF:42:FE:D2:26:2A:00:BB:41:17:01:18:90:8B:1B [DBG] OCSP_URI = http://ocsp.digicert.com [DBG] ISSUER_URI = http://cacerts.digicert.com/GeoTrustEVRSACAG2.crt [DBG] rsaEncryption sha256WithRSAEncryption [DBG] extracting cert attribute subjectAlternativeName [DBG] subjectAlternativeName = sigges-training.fonasa.cl [DBG] Checking expiration date [DBG] Number of certificates in CA chain: 1 [DBG] ------------------------------------------------------------------------------ [DBG] -- Checking element 1 [DBG] extracting cert attribute cn [DBG] Checking expiration date of element 1 (sigges-training.fonasa.cl) [DBG] extracting cert attribute enddate [DBG] Validity date on cert element 1 (sigges-training.fonasa.cl) is Sep 24 23:59:59 2024 GMT [DBG] Date computations: GNU [DBG] Computing number of hours until 'Sep 24 23:59:59 2024 GMT' with GNU [DBG] Computing '(1727222399-1699531761)/3600' (precision 0) [DBG] Hours until Sep 24 23:59:59 2024 GMT: 7691 [DBG] Computing '7691/24' (precision 0) [DBG] Computing '7691 * 3600' (precision 0) [DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="sigges-training.fonasa.cl", element="1"} 320 [DBG] valid for 320 days [DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 (sigges-training.fonasa.cl) [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 1 (sigges-training.fonasa.cl) [DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1 [DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="sigges-training.fonasa.cl", element="1"} 0 [DBG] ------------------------------------------------------------------------------ [DBG] Checking OCSP status of element 1 [DBG] temporary file /tmp/U2p4xW created [DBG] Storing the chain element in /tmp/U2p4xW [DBG] ------------------------------------------------------------------------------ [DBG] extracting cert attribute email [DBG] EMAIL = [DBG] openssl_version 1.1.0 [DBG] Checking if OpenSSL version is at least 1.1.0 ( '1' '1' '0' ':0' ) [DBG] openssl version: 1.0.1e [DBG] Current version 1.0.1e ( '1' '0' '1' 'e:101' ) [DBG] false [DBG] Date computations: GNU [DBG] Computing number of hours until 'Sep 24 23:59:59 2024 GMT' with GNU [DBG] Computing '(1727222399-1699531761)/3600' (precision 0) [DBG] Hours until Sep 24 23:59:59 2024 GMT: 7691 [DBG] Date computations: GNU [DBG] Computing number of hours until 'Sep 22 00:00:00 2023 GMT' with GNU [DBG] Computing '(1695340800-1699531761)/3600' (precision 0) [DBG] Hours until Sep 22 00:00:00 2023 GMT: -1164 [DBG] Computing '(7691 - -1164)/24' (precision 0) [DBG] cleaning up temporary files [DBG] /tmp/fRABZc /tmp/HY1u9T /tmp/UhJY3P /tmp/nrIgWK /tmp/8fKKHD /tmp/VuZlaw /tmp/U2p4xW [DBG] exiting with CRITICAL [DBG] ALL_MSG = \n SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate) [DBG] number of errors = 1 SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)|days_chain_elem1=320;20;15;; [root@foprd01nagiosin libexec]#

matteocorti commented 1 year ago

The server is not responding to the default HTTPS port (443).

corti@macbookpro ~> sudo nmap -Pn sigges-training.fonasa.cl
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-09 12:57 CET
Nmap scan report for sigges-training.fonasa.cl (190.215.211.7)
Host is up (0.022s latency).
rDNS record for 190.215.211.7: static.190.215.211.7.gtdinternet.com
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE  SERVICE
113/tcp closed ident
139/tcp closed netbios-ssn
179/tcp open   bgp
445/tcp closed microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 22.58 seconds
corti@macbookpro ~> telnet sigges-training.fonasa.cl 443
Trying 190.215.211.7...

If the plugin cannot connect the certificate cannot be retrieved.

braulio-martinez commented 1 year ago

Thanks a lot Matteo for your reply and assistance .. I fixed it finally.

I used the line below and did work :

check_ssl_cert-2.76.0/check_ssl_cert -f "/usr/local/nagios/libexec/check_ssl_cert-2.76.0/reportespercapita.fonasa.cl.crt" -d --debug-cert -c 15 -w 20 -H 'reportespercapita.fonasa.cl' -r "/usr/local/nagios/libexec/check_ssl_cert-2.76.0/" -A --ignore-ocsp --ignore-incomplete-chain

[DBG] output parameters: STATUS = OK [DBG] output parameters: CA_ISSUER_MATCHED = GlobalSign nv-sa [DBG] output parameters: CHECKEDNAMES = [DBG] output parameters: CN = reportespercapita.fonasa.cl [DBG] output parameters: DATE = Oct 5 21:11:01 2024 GMT [DBG] output parameters: DAYS_VALID = (expires in 331 days) [DBG] output parameters: DYSPLAY_CN = 'reportespercapita.fonasa.cl' [DBG] output parameters: OPENSSL_COMMAND = x509 [DBG] output parameters: SELFSIGNEDCERT = [DBG] output parameters: SHORTNAME = SSL_CERT [DBG] output parameters: OCSP_EXPIRES_IN_HOURS = [DBG] output parameters: SSL_LABS_HOST_GRADE = [DBG] output parameters: PROTOCOL = https SSL_CERT OK - reportespercapita.fonasa.cl:443, https, x509 certificate 'reportespercapita.fonasa.cl' from 'GlobalSign nv-sa' valid until Oct 5 21:11:01 2024 GMT (expires in 331 days)|days_chain_elem1=331;20;15;;

Best Regards.