matteocorti / check_ssl_cert

A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.
GNU General Public License v3.0
371 stars 132 forks source link

Error Handling with Expired CA cert in local trust #511

Open grimz-ly opened 6 months ago

grimz-ly commented 6 months ago

Describe the bug If check has an issue with URL and CA bundle on host doing the check contains an expired root certificate, error checking outputs OK.

To Reproduce example: check against a site where the certificate chain is incomplete

Script run from host where CA bundle is OK, will output

SSL_CERT CRITICAL example-host:443: Cannot verify certificate: unable to get local issuer certificate unable to verify the first certificate|days_chain_elem1=76;20;15;;

Script fun from host where trusted CA is expired in local CA bundle outputs

SSL_CERT OK

Expected behavior

Using the --debug flag it clearly makes note that the CA cert is expired from the openssl check performed, but moves along and the check results in OK despite the cert chain being incomplete. Basically just looking for better error handling for this scenario.

Have also seen it output 'SSL_CERT CRITICAL host.example.com:8081: SSL error: socket: Bad file descriptor' when service is unavailable on port being checked. On host w/ good CA bundle, it simply outputs 'Cannot connect to host.example.com on port 8081'. So in that case, the opposite happens in a manner.

System (please complete the following information):

Additional context/output

Add any other context or output (e.g., from check_ssl_cert -d -v) about the problem here.

matteocorti commented 6 months ago

Is there a public host that I can use for a test? Would it be possible to get the debugging output?