--resolve doesn't appear to be working

Question

--resolve doesn't appear to be working

nickjwest opened this issue a year ago · 16 comments

I have recently updated to 2.70 from a 2.3.7 older version, and the --resolve option doesn't appear to be working, even though it is the same option as in the help.

A clear and concise description of what the bug is.

The --resolve option doesn't appear to be working, or is behaving differently from earlier versions.

Steps to reproduce the behavior.

I ran the same command i old and new versions, and the --resolve worked as expected in the older version, but didn't work in new.

A clear and concise description of what you expected to happen.

System (please complete the following information):

Running on Ubuntu 20.4

Additional context/output

Answer 1 · 2023-07-27T16:34:19.000Z

Can you please submit the output with --debug?

Answer 2 · 2023-07-27T16:40:52.000Z

./check_ssl_cert.bkp -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99
SSL_CERT OK - x509 certificate 'rewards.britishgas.co.uk' from 'DigiCert TLS RSA SHA256 2020 CA1' valid until Nov 22 23:59:59 2023 GMT (expires in 118 days)|days_chain_elem1=118;20;10;; days_chain_elem2=3027;20;10;; days_chain_elem3=2817;20;10;;
./check_ssl_cert.bkp -V
check_ssl_cert version 2.3.7

/check_ssl_cert -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99
SSL_CERT CRITICAL: Cannot resolve rewards.britishgas.co.uk
./check_ssl_cert -V
check_ssl_cert version 2.70.0

Answer 3 · 2023-07-27T16:44:14.000Z

./check_ssl_cert -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99 --debug
[DBG] check_ssl_cert version: 2.70.0
[DBG] System info: Linux win-netmon-002 5.4.0-155-generic #172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
[DBG] /etc/os-release:
[DBG] NAME="Ubuntu"
[DBG] VERSION="20.04.6 LTS (Focal Fossa)"
[DBG] ID=ubuntu
[DBG] ID_LIKE=debian
[DBG] PRETTY_NAME="Ubuntu 20.04.6 LTS"
[DBG] VERSION_ID="20.04"
[DBG] HOME_URL=https://www.ubuntu.com/
[DBG] SUPPORT_URL=https://help.ubuntu.com/
[DBG] BUG_REPORT_URL=https://bugs.launchpad.net/ubuntu/
[DBG] PRIVACY_POLICY_URL=https://www.ubuntu.com/legal/terms-and-policies/privacy-policy
[DBG] VERSION_CODENAME=focal
[DBG] UBUNTU_CODENAME=focal
[DBG] User: Windsor
[DBG] Shell: /bin/bash
[DBG] GNU bash, version 5.0.17(1)-release (x86_64-pc-linux-gnu)
[DBG] Copyright (C) 2019 Free Software Foundation, Inc.
[DBG] License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
[DBG]
[DBG] This is free software; you are free to change and redistribute it.
[DBG] There is NO WARRANTY, to the extent permitted by law.
[DBG] grep: /bin/grep
[DBG] grep (GNU grep) 3.4
[DBG] Copyright (C) 2020 Free Software Foundation, Inc.
[DBG] License GPLv3+: GNU GPL version 3 or later https://gnu.org/licenses/gpl.html.
[DBG] This is free software: you are free to change and redistribute it.
[DBG] There is NO WARRANTY, to the extent permitted by law.
[DBG]
[DBG] Written by Mike Haertel and others; see
[DBG] https://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS.
[DBG] hostname: /bin/hostname
[DBG] $PATH: /omd/sites/Windsor/lib/perl5/bin:/omd/sites/Windsor/local/bin:/omd/sites/Windsor/bin:/omd/sites/Windsor/local/lib/perl5/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
[DBG] Command line arguments: -H rewards.britishgas.co.uk -w 20 -c 10 --ignore-sct --ignore-ocsp --resolve 18.165.201.99 --debug
[DBG] TMPDIR = /tmp
[DBG] Required HTTP headers:
[DBG] Unrequired HTTP headers:
[DBG] curl binary not needed. SSL Labs = , OCSP =
[DBG] Proxy settings (after):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] s_client =
[DBG] curl =
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host not found in /etc/hosts: checking DNS
[DBG] Checking if the host (rewards.britishgas.co.uk) exists
[DBG] Cannot resolve rewards.britishgas.co.uk
[DBG] cleaning up temporary files
[DBG] exiting with CRITICAL
[DBG] ALL_MSG =
[DBG] number of errors = 0
SSL_CERT CRITICAL: Cannot resolve rewards.britishgas.co.uk

Answer 4 · 2023-07-27T17:11:55.000Z

Thanks, I am away until the end of next week, but I'll try to take a look sooner.

Answer 5 · 2023-07-27T17:16:01.000Z

Strange with 2.70 I get

[...]
[DBG] Adding rewards.britishgas.co.uk to the host cache
[DBG] Forcing rewards.britishgas.co.uk to resolve to 18.165.201.99
[DBG] SNI                 = rewards.britishgas.co.uk
[DBG] HOST_NAME           = rewards.britishgas.co.uk
[DBG] HOST_ADDR           = 18.165.201.99
[DBG] NAMES_TO_BE_CHECKED = __HOST__
[DBG] Checking if rewards.britishgas.co.uk is an IP address
[DBG] rewards.britishgas.co.uk is not an IP address
[DBG] HOST_IS_IP.         = 0
[DBG] Checking if rewards.britishgas.co.uk is an IP address
[DBG] rewards.britishgas.co.uk is not an IP address
[DBG] Adding rewards.britishgas.co.uk to NAMES_TO_BE_CHECKED
[DBG] NAMES_TO_BE_CHECKED = rewards.britishgas.co.uk
[...]

Answer 6 · 2023-07-27T17:20:11.000Z

Can you confirm the installation as i am just running the script as is. i.e i downloaded and upzipped and copied out the check_ssl_cert piece

Answer 7 · 2023-07-27T17:34:50.000Z

Interesting. I just copied the raw into a script and works fine.

Answer 8 · 2023-07-27T17:44:07.000Z

Interesting. I just copied the raw into a script and works fine.

Strange. Are the files different? Maybe line termination? I am puzzled as the script runs...

Answer 9 · 2023-07-27T17:49:15.000Z

Indeed. I am going to copy over the one i have working in my lab. Maybe a red herring..!?

Answer 10 · 2023-07-28T08:38:53.000Z

Did the file that is not working come from the tarball or an RPM?

Answer 11 · 2023-07-28T10:20:46.000Z

I copied the script working from my home lab to my work server, and indeed doesn't work. I think this is probably being caused by split DNS, and the script ending before it reaches the --resolve option. We cannot resolve the host internally, and only works with the --resolve option...or at least did in the old version 2.3.7. My home lab will just use external DNS straight away.

Answer 12 · 2023-07-28T10:31:53.000Z

With the 2.3.7, i am guessing the resolve part is coming before the host lookup, and because 2.70 its trying to find a local lookup, which doesn't exist, and is exiting before the --resolve part option is reached. I am not a great script writer, but those are what it seems to indicate me logically.

Answer 13 · 2023-07-28T11:58:51.000Z

Thanks for the analysis. As soon as I can use my laptop, I'll take a look.

Answer 14 · 2023-07-28T17:18:34.000Z

My fault, I only check if --do-not-resolve is specified to skip the resolve tests.

Answer 15 · 2023-07-28T17:36:05.000Z

I will release a new version that should address the issue, but I cannot test in a real environment. Can you please let me know if it solves the problem?

Answer 16 · 2023-07-28T17:49:34.000Z

Many thanks for your time on this. I will download and test and revert back.