Extension of the chain check for affiliation with the main certificate.

Question

Extension of the chain check for affiliation with the main certificate.

micneon opened this issue 2 years ago · 5 comments

Hello,

If I use --check-chain, the chains are checked for validity, but not whether the wrong bridge certificates are stored in the chain. Am I correct or is that exactly what you want? If so, how can I have it checked myself to see whether the ca.crt that have been deposited are the correct ones. If it doesn't already exist, could you add that as an option?

Sample:
with wrong ca.crt:
./check_ssl_cert -t 180 -A --check-chain --openssl /usr/local/bin/openssl -H xxxdomain.de -P http -p 443 -w 4 -c 1

SSL_CERT OK - xxxdomain.de:443, http, x509 certificate '*.xxxdomain.de' (xxxdomain.de) from 'Sectigo Limited' valid until Apr 5 23:59:59 2024 GMT (expires in 394 days)|days_chain_elem1=394;4;1;;

with correct ca.crt:
./check_ssl_cert -t 180 -A --check-chain --openssl /usr/local/bin/openssl -H management.xxxdomain.de -P http -p 443 -w 4 -c 1

SSL_CERT OK - management.xxxdomain.de:443, http, x509 certificate '*.xxxdomain.de' (management.xxxdomain.de) from 'Sectigo Limited' valid until Apr 5 23:59:59 2024 GMT (expires in 394 days)|days_chain_elem1=394;4;1;; days_chain_elem2=2855;4;1;; days_chain_elem3=2125;4;1;;

I also tried via curl with:
--crl --rootcert-file /usr/local/icinga/etc/cacert.pem

Direct with Curl:
correct:
curl https://management.xxxdomain.de/service/oatuh/token
{"timestamp":1678267938833,"status":404,"error":"Not Found","path":"/service/oatuh/token"}

wrong:
curl https://xxxdomain.de/service/oatuh/token
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I have replaced the correct domain name with the dummy xxxdomain.de.

Greetings Micneon

Answer 1 · 2023-03-08T10:38:35.000Z

Dear @micneon thanks. It's difficult to debug without an example. Could you please send me privately the host?

Answer 2 · 2023-03-08T10:41:52.000Z

At the moment --check-chain checks if the root certificate is unnecessarily in the chain and if both a valid and an expired certificate are in the chain. I should know what is wrong in the chain of your example.

Answer 3 · 2023-03-08T11:35:40.000Z

I have sent you an e-mail with a real test domain, because I have not found here how to send direct messages to you.

Greetings Michael

Answer 4 · 2023-03-08T11:36:24.000Z

Thanks I got. I'll take a look as soon as I can ...

Answer 5 · 2023-03-08T12:22:10.000Z

Problem caused by -A:

   -A,--noauth                     Ignore authority warnings (expiration
                                   only)