Can not resolve hostname in environments without public DNS Access

Question

Can not resolve hostname in environments without public DNS Access

Closed this issue a year ago · 13 comments

Dear Matteo,

we tested the new version 2.68 on additional systems and our customer found an issue depending on #455

Since this change the script try to verify a DNS entry for a host is available at the beginning of the script.
This only works in environments with access to public DNS resolvers.

But it fails in a secured environment with access to the internet only allowed by proxies like this:

'/usr/lib64/nagios/plugins/check_ssl_cert' '--ignore-connection-problems' '--ignore-tls-renegotiation' '--no-perf' '--proxy' 'myfancy.proxy.server:3128' '--tls1_2' '-H' 'my.fancy.website' '-c' '7' '-i' 'FNCY CA 3' '-p' '443' '-w' '21' 

[DBG] exiting with CRITICAL [DBG] ALL_MSG = [DBG] number of errors = 0 SSL_CERT CRITICAL: Cannot resolve my.fancy.website

Only the proxy can resolve the hostname, the DNS inside the environment can't resolve my.fancy.website.
Did you need more details?

best regards

Andreas

Answer 1 · 2023-05-11T19:20:01.000Z

I see only two options if a proxy is used and DNS is not working:

Add an option to skip the check
Use DNS over HTTP (with curl using the proxy)

curl -H "Content-Type: application/dns-json" "https://dns.google.com/resolve?name=www.google.com&type=A"

Answer 2 · 2023-05-11T19:30:59.000Z

I just committed a version with an option to skip the check.
I'll take a look at the second option tomorrow

Answer 3 · 2023-05-12T08:11:31.000Z

I implemented both:

--do-not-resolve to skip the resolve check
--resolve-over-http to use DNS over HTTP

Answer 4 · 2023-05-12T16:09:12.000Z

Dear Andreas,
As I don't have a proxy to test it. Can you please give a short feedback is one of the two options is solving your problem?

Answer 5 · 2023-05-15T15:46:21.000Z

HI,

thx i 'll try it and send you a feedback.

Answer 6 · 2023-05-23T17:45:23.000Z

Dear Matteo

we tried "--do-not-resolve", ut did not work.

[DBG] /usr/bin/timeout 120 /bin/sh -c "printf 'HEAD / HTTP/1.1\nHost: fancyhost.domain.ch\nUser-Agent: check_ssl_cert/2.69.0\nConnection: close\n\n' | /usr/bin/openssl s_client     -crlf  -connect fancyhost.domain.ch:443 -servername fancyhost.domain.ch   -showcerts -verify 6  -tls1_2     -legacy_renegotiation 2> /tmp/9WLhhY 1> /tmp/UmvBH5"
[DBG]   end time = 1683911193
[DBG]   new timeout = 120
[DBG] Return value of the command = 1
[DBG] SSL error: verify depth is 6
[DBG] SSL error: 140661354600256:error:2008F002:BIO routines:BIO_lookup_ex:system lib:crypto/bio/b_addr.c:730:Name or service not known
[DBG] SSL error: connect:errno=0
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message    = fancyhost.domain.ch is not a valid hostname

While getting the cert no proxy is used.

It looks like the problems depends on the fact, you want to use the variable OPENSSL in line 4290.
But the initialization is at line 4642 (both inside the main()-routine)

Muchos Saludos
Andreas

Answer 7 · 2023-05-23T19:24:33.000Z

Thanks, the GREP_BIN variable has the same problem.

Answer 8 · 2023-05-23T19:26:17.000Z

I fixed both, can you please test again?

Answer 9 · 2023-05-24T07:41:13.000Z

HI Matteo

Our the first shot: now it works BUT without "--do-not-resolve".
I wanna tell you more details, if we locate the issue.

Answer 10 · 2023-05-24T07:43:34.000Z

Can you post the debugging output? (if you would rather not publish it, you can also send it to me per email).

Answer 11 · 2023-05-24T14:03:18.000Z

HI,

I guess it was a mistake on our side. Works as designed :) with --do-not-resolve

Answer 12 · 2023-05-30T11:34:37.000Z

HI Matteo,

I downloaded the latest 2.69 but the fix is not available there. It's possible to release a 2.70 with the fix for our rollout?

Answer 13 · 2023-05-30T11:42:41.000Z

Dear Andreas, I just released version 2.70.0