Update handling of performance data metrics to allow emitting negative expiration values
Closed this issue · 0 comments
atc0005 commented
Overview
Currently, the check_cert plugin uses 0 as the minimum expiration value for expires_leaf and expires_intermediate metrics.
Here is an example of checking expires.badssl.com:
$ check_cert.exe --server expired.badssl.com
4:45PM ERR cmd\check_cert\main.go:428 > validation checks failed for certificate chain error="summary: 1 of 3 validation checks failed" age_critical=15 age_warning=30 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=false cert_check_timeout=10s checks_failed=1 checks_ignored=1 checks_successful=1 checks_total=3 expected_sans_entries= filename= logging_level=info port=443 server=expired.badssl.com version="check-cert x.y.z (https://github.com/atc0005/check-cert)"
CRITICAL: Expiration validation failed: leaf cert "*.badssl.com" expired 2878d 22h ago (on 2015-04-12 23:59:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 1 FAILED (Expiration), 1 SUCCESSFUL (Hostname)]
**VALIDATION ERRORS**
* expiration validation failed: expired certificates found
**VALIDATION CHECKS REPORT**
3 certs retrieved for service running on expired.badssl.com (104.154.89.105) at port 443 using host value "expired.badssl.com"
PROBLEM RESULTS:
[!!] Expiration validation failed: leaf cert "*.badssl.com" expired 2878d 22h ago (on 2015-04-12 23:59:59 +0000 UTC)
Certificate 1 of 3 (leaf):
Name: CN=*.badssl.com,OU=Domain Control Validated+OU=PositiveSSL Wildcard
SANs entries: [*.badssl.com badssl.com]
Issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Serial: 4A:E7:95:49:FA:9A:BE:3F:10:0F:17:A4:78:E1:69:09
Issued On: 2015-04-09 00:00:00 +0000 UTC
Expiration: 2015-04-12 23:59:59 +0000 UTC
Status: [EXPIRED] 2878d 22h ago
Certificate 2 of 3 (intermediate):
Name: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
SANs entries: []
Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
Serial: 2B:2E:6E:EA:D9:75:36:6C:14:8A:6E:DB:A3:7C:8C:07
Issued On: 2014-02-12 00:00:00 +0000 UTC
Expiration: 2029-02-11 23:59:59 +0000 UTC
Status: [OK] 2175d 1h remaining
Certificate 3 of 3 (intermediate):
Name: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
SANs entries: []
Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
Serial: 27:66:EE:56:EB:49:F3:8E:AB:D7:70:A2:FC:84:DE:22
Issued On: 2000-05-30 10:48:38 +0000 UTC
Expiration: 2020-05-30 10:48:38 +0000 UTC
Status: [EXPIRED] 1004d 11h ago
IGNORED RESULTS:
[--] SANs List validation ignored: 0 SANs entries specified, 2 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]
SUCCESS RESULTS:
[OK] Hostname validation using value "expired.badssl.com" successful for leaf certificate
| 'certs_present_intermediate'=2;;;; 'certs_present_leaf'=1;;;; 'certs_present_root'=0;;;; 'certs_present_unknown'=0;;;; 'expires_intermediate'=0d;30;15;0; 'expires_leaf'=0d;30;15;0; 'time'=127ms;;;;Instead of stopping at zero, it is likely more useful to emit the actual days past expiration so that systems collecting metrics can show how long a certificate stays in an expired state before it is replaced.
0 was set as the min field for both metrics as part of GH-475, so that will also need to be changed if we update the logic to emit negative expiration values.