CSR is not a DEM
tuxracer1337 opened this issue · 8 comments
Dear Matteo,
we found the following issue in the latest versions
While running a command like this:
'/usr/lib64/nagios/plugins/check_ssl_cert' '--ignore-connection-problems' '--ignore-maximum-validity' '--ignore-sct' '--ignore-tls-renegotiation' '--no-perf' '--tls1_2' '-H' 'myFancyHost' '-c' '7' '-i' 'Corp-Root-CA-G2' '-m' 'myFancyHost' '-p' '443' '-w' '21' --crl --debug --rootcert-file /path/to/Corp-Root-CA-G2.pem 2>&1
it does not run successful, because the CRL isn't a DEM certificate, but check_ssl_cert guesses each CRL is a DEM and want to convert it to PEM. If we change the code to something like this at line 1821
# convert DER to
#debuglog "Converting ${CRL_TMP_DER} (DER) to ${CRL_TMP_PEM} (PEM)"
#"${OPENSSL}" crl -inform DER -in "${CRL_TMP_DER}" -outform PEM -out "${CRL_TMP_PEM}"
CRL_TMP_PEM=${CRL_TMP_DER}
no error occurs for our CRL.
It's important to have a PEM each time? A better solution could me:
- Test CRL is PEM or DEM
- If PEM to not convert
- If DEM convert to PEM
What did you think about, do you have a better solution for this case?
Best regards
Andreas
I will fix it as soon as I get some time.
I really have no idea why I assumed that the CRL should always be in DER format
Can you please test with the latest commit?
"Huston, we still having problems"
I tested the new version with the following results:
Related debug ERROR
[DBG] cat /tmp/R5q0uM /tmp/w39vxh /etc/pki/ca-trust/source/anchors/Corp-Root-CA-G2.pem > /tmp/Q0QwUv
[DBG] /usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod
[DBG] result:
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message = certificate element 1 is revoked (CRL)
[DBG] prepend_critical_message: CRITICAL_MSG =
[DBG] prepend_critical_message: ALL_MSG 1 =
[DBG] prepend_critical_message: MSG 2 = SSL_CERT CRITICAL my.domain.ch: certificate element 1 is revoked (CRL)
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL my.domain.ch: certificate element 1 is revoked (CRL)
[DBG] prepend_critical_message: ALL_MSG 2 = \n SSL_CERT CRITICAL my.domain.ch: certificate element 1 is revoked (CRL)
[DBG] CRITICAL ----------------------------------------
[DBG] ------------------------------------------------------------------------------
I stopped deleting tmp files in the script (line 731) to have all files available after script run.
fancyhost:/tmp # for i in $(cd /tmp ; find . -type f -mmin -10 ); do ls -la $i ; done
-rw------- 1 root root 2366 Apr 27 12:39 ./ekqa2d
-rw------- 1 root root 310 Apr 27 12:39 ./SJfeid
-rw------- 1 root root 2468 Apr 27 12:39 ./OGVoYa
-rw------- 1 root root 2468 Apr 27 12:39 ./D8uvgJ
-rw------- 1 root root 7257 Apr 27 12:44 ./w39vxh >>>>> is not empty
-rw------- 1 root root 310 Apr 27 12:44 ./A0wjMy
-rw------- 1 root root 1074 Apr 27 12:44 ./gIF5Qe
-rw------- 1 root root 2468 Apr 27 12:44 ./t75HfY
-rw------- 1 root root 7257 Apr 27 12:39 ./kevzYi
-rw------- 1 root root 0 Apr 27 12:44 ./R5q0uM >>>> IS EMPTY
-rw------- 1 root root 1074 Apr 27 12:39 ./jVMDY6
-rw------- 1 root root 9444 Apr 27 12:44 ./Q0QwUv >>> Is the summary of R5q0uM and w39vxh BUR R5q0uM is empty
-rw------- 1 root root 2366 Apr 27 12:39 ./svJ6gG
-rw------- 1 root root 2222 Apr 27 12:39 ./TthFtv
-rw------- 1 root root 2468 Apr 27 12:44 ./lpehUG
-rw------- 1 root root 2222 Apr 27 12:44 ./hWLyNA
-rw------- 1 root root 0 Apr 27 12:39 ./sQm3hz
-rw------- 1 root root 0 Apr 27 12:39 ./CdQp46
-rw------- 1 root root 0 Apr 27 12:44 ./y3x5jv
-rw------- 1 root root 2366 Apr 27 12:44 ./RMArft
-rw------- 1 root root 9444 Apr 27 12:39 ./rRM4rF
-rw------- 1 root root 2366 Apr 27 12:44 ./MYvJod
Here an exclusive view for both files:
#### File /tmp/R5q0uM ####
-rw------- 1 root root 0 Apr 27 12:44 /tmp/R5q0uM
#### Whats inside? ####
/tmp/R5q0uM: empty
#### File /tmp/MYvJod ####
-rw------- 1 root root 2366 Apr 27 12:44 /tmp/MYvJod
#### Whats inside? ####
/tmp/MYvJod: PEM certificate
#### Run /usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod
unable to load CRLs
RESULT: unable to load CRLs is the error of the openssl command
But the DEBUG Output is also "wrong"
The command is not "/usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod"
The code looks like this:
CRL_RESULT=$(
"${OPENSSL}" verify -crl_check -CAfile "${CRL_TMP_CHAIN}" -CRLfile "${CRL_TMP_PEM}" "${CERT_ELEMENT}" 2>&1 |
"${GREP_BIN}" -F ':' |
head -n 1 |
sed 's/^.*: //'
)
But running the correct command also fail with the same message, as you can see here:
fancyhost: # /usr/bin/openssl verify -crl_check -CRLfile /tmp/R5q0uM /tmp/MYvJod | grep -F ':' | head -n 1 | sed 's/^.*: //'
unable to load CRLs
And nobody knows the real error because of this if-case:
if ! [ "${CRL_RESULT}" = 'OK' ]; then
prepend_critical_message "certificate element ${el_number} is revoked (CRL)"
fi
else
in CL_RESULT we have "unable to load CRLs" and not "OK" so we got the element is revoked error.
This looks "strange" for me, because "unable to load CRLs" is not the same like "CLR is revoked".
What did you mean about this?
best regards
Andreas
Update
The issue occurres because of: line 1847
The CLR tmp file is only available if the CLR is a DEM file if not, it does not work correctly.
With an additional IF Cases around line 1847 the problem should be solved.
best regards
Should be fixed.
Yes, looks good. Thank you!
Just released a new version with the fix