search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
520 stars 97 forks source link

Probe SSL not only for :443 #4

Closed kormotodor closed 5 years ago

kormotodor commented 5 years ago

First of all thank you for the great job, this exporter is realy very usefull But i want to know, is it possible to probe targets with non default https port? I use different port and it works pretty well with testssl.sh, for example And when i try to probe it with exporter, i fased with next error in logs: " level=error msg="Get https://my_host:my_port: EOF" source="ssl_exporter.go:98" Is this unusual usecase or i am doing something wrong?

ribbybibby commented 5 years ago

Hi @kormotodor, I'm glad you like the exporter and thanks for the issue.

Unfortunately, I can't reproduce what you're seeing. As far as I can tell the exporter does support ports other than 443.

For instance, if I run a local consul server serving HTTPS on port 8501 I can extract metrics from it using /probe:

curl localhost:9219/probe?target=https://localhost:8501

How are you calling the exporter? Do you have an example of your scrape config? Or a fuller extract from the logs?

kormotodor commented 5 years ago

Tryed to test this case with new 0.4.0 version. Same issue here.

Starts just like ./ssl_exporter --log.level=debug.

Calling: curl http://localhost:9219/probe?target=https://my-host.org:636 Result: ssl_https_connect_success 0

The most fullest extract from logs: level=error msg="Get https://my-host.org:636: EOF" source="ssl_exporter.go:102" Scrape config does nothing mater here i think.

ribbybibby commented 5 years ago

What kind of server are you running on :636? Is it a HTTP server? I think it's probably something to do with the response the server is giving to the exporter.

kormotodor commented 5 years ago

There is a some kind of LDAP server. Of course without any default :443 ports.

Output of curl -v https://my-host.org:636 it pretty standart for the first look:

* Rebuilt URL to: https://my-host.org:636/
*   Trying {my-ip}...
* TCP_NODELAY set
* Connected to my-host.org ({my-ip}) port 636 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN={***}
*  start date: {***}
*  expire date: {***}
*  subjectAltName: host "my-host.org" matched cert's "{***}"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: my-host.org:636
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Empty reply from server
* Connection #0 to host my-host.org left intact
curl: (52) Empty reply from server

Except first line from the bottom: curl: (52) Empty reply from server. May be that is an issue?

ribbybibby commented 5 years ago

Okay, I see. It's an LDAPS server. Can you try this to verify:

curl -v ldaps://my-host.org:636

This exporter currently only supports HTTPS, so it won't work for LDAPS. Perhaps I could refactor it to work as a TLS client rather than a HTTPS client. I'll have a look and let you know.

kormotodor commented 5 years ago

Yes, exactly like you said.

curl -v ldaps://my-host.org:636:

* Rebuilt URL to: ldaps://my-host.org:636/
*   Trying {my-ip}...
* TCP_NODELAY set
* Connected to my-host.org ({my-ip}) port 636 (#0)
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*  subject: CN={***}
*  start date: {***}
*  expire date: {***}
*  subjectAltName: host "my-host.org" matched cert's "{***}"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.
* LDAP local: ldaps://my-host.org:636/
DN: 
    objectClass: top
    objectClass: OpenLDAProotDSE

* Connection #0 to host my-host.org left intact

My opinion is that it will be more flexible if this exporter would work with other protocol schemes. Thank you very much for extremely fast replies!

ribbybibby commented 5 years ago

I've made the required changes on this branch: https://github.com/ribbybibby/ssl_exporter/tree/%234

I've tested against a few different targets and everything seems to work fine. Could you try this branch for me and see if it works against your LDAP server?

curl localhost:9219/probe?target=my-host.org:636
kormotodor commented 5 years ago

I've spend a several amount of time to test this version on my different LDAP instances. And yes, it's work perfectly for me.

Thank you for the great work!

ribbybibby commented 5 years ago

Great to hear @kormotodor! I'm going to clean the code up a bit and then I'll cut a new release.

ribbybibby commented 5 years ago

Released v0.5.0 with these changes.