False Critical Kennisnet Finding: KAT-CERTIFICATE-EXPIRED @ Let's Encrypt

paulvandenbraken commented 2 weeks ago

Bug-description The findings-report of Kennisnet reports: KAT-CERTIFICATE-EXPIRED @ Let's Encrypt(ID), an exiped certificate for tggr.edurep.nl. However, this domain has been cancelled so the critical finding is irrelevant.

Reproduction Look for Critical findings in crisis room and investigate details.

Expected behavior If a certificate is no longer offered/hosted on a web service, this report should not appear. In other words: the host must be offline, or the certificate is no longer offered. If you take such a situation into account, it will possibly apply to more use cases. Fig-1 Fig-2

underdarknl commented 2 weeks ago

I would expect Kat to clean up the domain, and related certs if you delete the hostname as one of your assets. I would also Expect Kat to do the same once we see an NXDomain for the hostname, and raise a critical on that.

noamblitz commented 1 week ago

I am trying to reproduce this. Few questions:

what is the clearance level of the Website object: Website|internet|145.57.36.234|tcp|443|https|internet|tggr.edurep.nl
what happens if we manually trigger the certificate boefje on that website (should result in the removal of the cert)
what jobs are listed in the Inferred by and Observed by tables of the website, I expect there to be something like this:
Now, if we click on the ResolvedHostname, and then look at the Inferred by table again, I expect something like this:

If we click on the DNSRecord I expect something like this in the Observed by table:

Is the Hostname tggr.edurep.nl listed as input OOI here? Could you screenshot the Observed by and the Inferred by tables of this Hostname OOI?

paulvandenbraken commented 1 week ago

Bullet 1. Clearance Level 2

Bullet 2. Boefje gestart, maar certificaat blijft staan:

Dit is de output van de meta- en raw-gegevens

error Command '['s_client', '-host', '145.97.36.234', '-port', '443', '-prexit', '-showcerts', '-servername', 'tggr.edurep.nl']' in image 'alpine/openssl:latest' returned non-zero exit status 1: b'488B8926587F0000:error:8000006E:system library:BIO_connect:Operation timed out:crypto/bio/bio_sock2.c:114:calling connect()\n488B8926587F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:\nconnect:errno=110\n' {"id": "fd8804d5-f8d3-4d5e-b9be-de5802f2a4fa", "boefje_meta": {"id": "1c86c53d-40fb-4960-80d9-572b632479b1", "started_at": "2024-09-05T01:42:09.061432+02:00", "ended_at": "2024-09-05T01:44:20.352067+02:00", "boefje": {"id": "ssl-certificates", "version": null}, "input_ooi": "Website\|internet\|145.97.36.234\|tcp\|443\|https\|internet\|tggr.edurep.nl", "arguments": {"input": {"object_type": "Website", "scan_profile": "scan_profile_type='inherited' reference=Reference('Website\|internet\|145.97.36.234\|tcp\|443\|https\|internet\|tggr.edurep.nl') level=", "primary_key": "Website\|internet\|145.97.36.234\|tcp\|443\|https\|internet\|tggr.edurep.nl", "ip_service": {"ip_port": {"address": {"network": {"name": "internet"}, "address": "145.97.36.234"}, "protocol": "tcp", "port": "443"}, "service": {"name": "https"}}, "hostname": {"network": {"name": "internet"}, "name": "tggr.edurep.nl"}, "certificate": {"issuer": "Let's Encrypt", "serial_number": "00000379a04ea09cc64d099d7e31b3485966fdd3"}}}, "organization": "leermiddelen-metadata", "runnable_hash": "00e6e56fb6f8ee0c0f04dce2aa6ed3b21145dcc9ed85acb0050b37b8dcebfcc8", "environment": {}}, "mime_types": [{"value": "boefje/ssl-certificates"}], "secure_hash": "sha512:8ffbceceb118dd22e99cc363834164ec351e30fd6a085c23e631b042b532555a342e4e631a26f1b91dc70c6f3965c7fbbbba43047ea95d31b184c11582d9f7da", "signing_provider_url": null, "hash_retrieval_link": "99a8e31a-464b-4c17-97b2-966a27ee0f94"} --

error Command '['s_client', '-host', '145.97.36.234', '-port', '443', '-prexit', '-showcerts', '-servername', '[tggr.edurep.nl](http://tggr.edurep.nl/)']' in image 'alpine/openssl:latest' returned non-zero exit status 1: b'488B8926587F0000:error:8000006E:system library:BIO_connect:Operation timed out:crypto/bio/bio_sock2.c:114:calling connect()\n488B8926587F0000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:116:\nconnect:errno=110\n' {"id": "fd8804d5-f8d3-4d5e-b9be-de5802f2a4fa", "boefje_meta": {"id": "1c86c53d-40fb-4960-80d9-572b632479b1", "started_at": "2024-09-05T01:42:09.061432+02:00", "ended_at": "2024-09-05T01:44:20.352067+02:00", "boefje": {"id": "ssl-certificates", "version": null}, "input_ooi": "Website|internet|145.97.36.234|tcp|443|https|internet|[tggr.edurep.nl](http://tggr.edurep.nl/)", "arguments": {"input": {"object_type": "Website", "scan_profile": "scan_profile_type='inherited' reference=Reference('Website|internet|145.97.36.234|tcp|443|https|internet|[tggr.edurep.nl](http://tggr.edurep.nl/)') level=", "primary_key": "Website|internet|145.97.36.234|tcp|443|https|internet|[tggr.edurep.nl](http://tggr.edurep.nl/)", "ip_service": {"ip_port": {"address": {"network": {"name": "internet"}, "address": "145.97.36.234"}, "protocol": "tcp", "port": "443"}, "service": {"name": "https"}}, "hostname": {"network": {"name": "internet"}, "name": "[tggr.edurep.nl](http://tggr.edurep.nl/)"}, "certificate": {"issuer": "Let's Encrypt", "serial_number": "00000379a04ea09cc64d099d7e31b3485966fdd3"}}}, "organization": "leermiddelen-metadata", "runnable_hash": "00e6e56fb6f8ee0c0f04dce2aa6ed3b21145dcc9ed85acb0050b37b8dcebfcc8", "environment": {}}, "mime_types": [{"value": "boefje/ssl-certificates"}], "secure_hash": "sha512:8ffbceceb118dd22e99cc363834164ec351e30fd6a085c23e631b042b532555a342e4e631a26f1b91dc70c6f3965c7fbbbba43047ea95d31b184c11582d9f7da", "signing_provider_url": null, "hash_retrieval_link": "99a8e31a-464b-4c17-97b2-966a27ee0f94"} Bullet 3. Hierbij een screenshot van gerelateerde objecten: ![image002](https://github.com/user-attachments/assets/75141a91-f6fd-4485-919f-8497fb0c35b7)

minvws / nl-kat-coordination

False Critical Kennisnet Finding: KAT-CERTIFICATE-EXPIRED @ Let's Encrypt #3432