nmap + DNS issue returns "Cannot connect" error msg
Closed this issue · 4 comments
lukastribus commented
Describe the bug
When the nmap binary is available, and a DNS record does not exist (NXDOMAIN) or there is no record (empty response with NOERROR), then check_ssl_cert will show a "Cannot connect to ..." error.
When the hostname is single label a "Cannot resolve ..." error is returned (without the usual SSL_CERT CRITICAL prefix though).
To Reproduce
$ ./check_ssl_cert -H li
Cannot resolve li
$
$ host nxdomain.corti.li
Host nxdomain.corti.li not found: 3(NXDOMAIN)
$
$ ./check_ssl_cert -H nxdomain.corti.li
Cannot connect to nxdomain.corti.li on port 443
$ host www.ltri.eu
$
$ ./check_ssl_cert -H www.ltri.eu
Cannot connect to www.ltri.eu on port 443
$
$ apt remove nmap
[...]
$ ./check_ssl_cert -H nxdomain.corti.li
SSL_CERT CRITICAL nxdomain.corti.li: nxdomain.corti.li is not a valid hostname
$
$ ./check_ssl_cert -H www.ltri.eu
SSL_CERT CRITICAL www.ltri.eu: Unknown host
$
Expected behavior
Proper error messages should appear, even when nmap binary is present.
System (please complete the following information):
- OS: Ubuntu
- OS version: 20.04 LTS
- check_ssl_cert version: 2.62.0
- OpenSSL version (
openssl version): 1.1.1f
Additional context/output
$ ./check_ssl_cert -v -d -H nxdomain.corti.li
[DBG] check_ssl_cert version: 2.62.0
[DBG] System info: Linux htznr2 5.4.0-139-generic #156-Ubuntu SMP Fri Jan 20 17:27:18 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG] NAME="Ubuntu"
[DBG] VERSION="20.04.5 LTS (Focal Fossa)"
[DBG] ID=ubuntu
[DBG] ID_LIKE=debian
[DBG] PRETTY_NAME="Ubuntu 20.04.5 LTS"
[DBG] VERSION_ID="20.04"
[DBG] HOME_URL="https://www.ubuntu.com/"
[DBG] SUPPORT_URL="https://help.ubuntu.com/"
[DBG] BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
[DBG] PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
[DBG] VERSION_CODENAME=focal
[DBG] UBUNTU_CODENAME=focal
[DBG] User: lukas
[DBG] Shell: /bin/bash
[DBG] GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu)
[DBG] Copyright (C) 2019 Free Software Foundation, Inc.
[DBG] License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
[DBG]
[DBG] This is free software; you are free to change and redistribute it.
[DBG] There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: /bin/grep
[DBG] grep (GNU grep) 3.4
[DBG] Copyright (C) 2020 Free Software Foundation, Inc.
[DBG] License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
[DBG] This is free software: you are free to change and redistribute it.
[DBG] There is NO WARRANTY, to the extent permitted by law.
[DBG]
[DBG] Written by Mike Haertel and others; see
[DBG] <https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[DBG] hostname: /bin/hostname
[DBG] $PATH: /home/lukas/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[DBG] Command line arguments: -v -d -H nxdomain.corti.li
[DBG] TMPDIR = /tmp
[DBG] Required HTTP headers:
[DBG] Unrequired HTTP headers:
[DBG] Adding the domain if missing
[DBG] HOST = nxdomain.corti.li
[DBG] SNI =
[DBG] HOST_NAME = nxdomain.corti.li
[DBG] HOST_ADDR = nxdomain.corti.li
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if nxdomain.corti.li is an IP address
[DBG] nxdomain.corti.li is not an IP address
[DBG] HOST_IS_IP. = 0
[DBG] Checking if nxdomain.corti.li is an IP address
[DBG] nxdomain.corti.li is not an IP address
[DBG] Adding nxdomain.corti.li to NAMES_TO_BE_CHECKED
[DBG] NAMES_TO_BE_CHECKED = nxdomain.corti.li
[DBG] curl binary needed. SSL Labs = , OCSP = 1, CURL = , IGNORE_CONNECTION_STATE=, FILE_URI=
[DBG] curl binary not specified
[DBG] curl available: /usr/bin/curl
[DBG] curl 7.68.0 (x86_64-pc-linux-gnu) libcurl/7.68.0 OpenSSL/1.1.1f zlib/1.2.11 brotli/1.0.7 libidn2/2.2.0 libpsl/0.21.0 (+libidn2/2.2.0) libssh/0.9.3/openssl/zlib nghttp2/1.40.0 librtmp/2.3
[DBG] Release-Date: 2020-01-08
[DBG] Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp
[DBG] Features: AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 <= 1296000'
[DBG] bc result = 0
[DBG] returning 1
[DBG] ROOT_CA =
[DBG] mktemp available: /bin/mktemp
[DBG] file version: file-5.38
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] nmap available: /usr/bin/nmap
[DBG] Checking IPs: host nxdomain.corti.li
[DBG] the host does not have an IPv4 address. Trying nmap with -6 to force IPv6 for an IPv6-only host
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 1.1.1f 31 Mar 2020
[DBG] built on: Mon Feb 6 17:57:17 2023 UTC
[DBG] platform: debian-amd64
[DBG] options: bn(64,64) rc4(16x,int) des(int) blowfish(ptr)
[DBG] compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -Wa,--noexecstack -g -O2 -fdebug-prefix-map=/build/openssl-7mt7n4/openssl-1.1.1f=. -fstack-protector-strong -Wformat -Werror=format-security -DOPENSSL_TLS_SECURITY_LEVEL=2 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG -Wdate-time -D_FORTIFY_SOURCE=2
[DBG] OPENSSLDIR: "/usr/lib/ssl"
[DBG] ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
[DBG] Seeding source: os-specific
[DBG] OpenSSL configuration directory: /usr/lib/ssl
[DBG] 0 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername nxdomain.corti.li
[DBG] Proxy settings (before):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] Proxy settings (after):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] s_client =
[DBG] curl =
[DBG] '/usr/bin/openssl s_client' supports '-name': using htznr2
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost nxdomain.corti.li
[DBG] HOST_HEADER = nxdomain.corti.li
[DBG] Testing connection with nxdomain.corti.li:443
[DBG] Executing: '/usr/bin/nmap -6 --unprivileged -Pn -p 443 nxdomain.corti.li'
[DBG] cleaning up temporary files
[DBG] exiting with CRITICAL
[DBG] ALL_MSG =
[DBG] number of errors = 0
Cannot connect to nxdomain.corti.li on port 443
$
matteocorti commented
Thanks. Fixed and added a couple of tests.
lukastribus commented
Thanks. Is it expected to return the error message without the SSL_CERT CRITICAL prefix?
matteocorti commented
I'll check there are also some checks failing.
lukastribus commented
Some additional notes:
-4and-6should probably be considered in nslookup- nslookup may not return "No answer" in certain cases:
$ nslookup -type=A cname.ltri.eu
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
cname.ltri.eu canonical name = localhost.ltri.eu.
Name: localhost.ltri.eu
Address: 127.0.0.1
$ nslookup -type=AAAA cname.ltri.eu
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
cname.ltri.eu canonical name = localhost.ltri.eu.
$