matteocorti/check_ssl_cert

Error: verify depth is 6 - SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

braulio-martinez opened this issue · 4 comments

Hi..!!
How you doing.. Could you please give me a hand this issue..?
I can't verify the if the Certicifate status with the command below.
This same issue I have it with another 3 sites, each one with their Certicifates about to expire in 1 year.

Please let me know if you will need more information or the script that I'm using now.
Thanks a lot in advance.
Best Regards.

Braulio M.

.- Path:
/usr/local/nagios/libexec/check_ssl_cert-1.65.0

.- Command:
$USER1$/check_ssl_cert-1.65.0/check_ssl_cert -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp

.- Error Message:
[DBG] storing a copy of the OpenSSL errors in sigges-training.fonasa.cl.error
Error: verify depth is 6
SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

.- Debug:
[root@foprd01nagiosin check_ssl_cert-1.65.0]# check_ssl_cert-1.65.0/check_ssl_cert -d -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp
-bash: check_ssl_cert-1.65.0/check_ssl_cert: No existe el fichero o el directorio
[root@foprd01nagiosin check_ssl_cert-1.65.0]# ./check_ssl_cert -d -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp
[DBG] ROOT_CA = -CApath /etc/ssl/certs/
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_cert version: 1.65.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] OpenSSL configuration directory: /etc/pki/tls
[DBG] 171 root certificates installed by default
[DBG] System info: Linux foprd01nagiosin.fonasa.local 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername sigges-training.fonasa.cl
'/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute
downloading certificate to /tmp
[DBG] sigges-training.fonasa.cl is not an IP address
[DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client -connect sigges-training.fonasa.cl:443 -servername sigges-training.fonasa.cl -verify 6 -CApath /etc/ssl/certs/ 2> /tmp/check_ssl_cert856tv3 1> /tmp/check_ssl_certHgUuas
[DBG] /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client -connect sigges-training.fonasa.cl:443 -servername sigges-training.fonasa.cl -verify 6 -CApath /etc/ssl/certs/ 2> /tmp/check_ssl_cert856tv3 1> /tmp/check_ssl_certHgUuas"
[DBG] storing a copy of the retrieved certificate in sigges-training.fonasa.cl.crt
[DBG] storing a copy of the OpenSSL errors in sigges-training.fonasa.cl.error
Error: verify depth is 6
SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

.- Testing URL with curl:
[root@foprd01nagiosin check_ssl_cert-1.65.0]# curl -v sigges-training.fonasa.cl

  • About to connect() to sigges-training.fonasa.cl port 80 (#0)
  • Trying 10.6.218.17... connected
  • Connected to sigges-training.fonasa.cl (10.6.218.17) port 80 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: sigges-training.fonasa.cl
Accept: /

< HTTP/1.1 302 Found
< Location: https://sigges-training.fonasa.cl/
< Connection: close
<

  • Closing connection #0
    [root@foprd01nagiosin check_ssl_cert-1.65.0]# curl -v sigges-training.fonasa.cl:443
  • About to connect() to sigges-training.fonasa.cl port 443 (#0)
  • Trying 10.6.218.17... connected
  • Connected to sigges-training.fonasa.cl (10.6.218.17) port 443 (#0)

GET / HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: sigges-training.fonasa.cl:443
Accept: /

  • Closing connection #0
  • Failure when receiving data from the peer
    curl: (56) Failure when receiving data from the peer

.- Nagios Error:
SSL_CERT CRITICAL sigges-training.fonasa.cl: No certificate returned

.- Certicifate Information:
Nombre común (CN) GeoTrust EV RSA CA G2
Organización (O) DigiCert Inc
Issued el Thursday, 21 de septiembre de 2023, 21:00:00
Expires el Tuesday, 24 de septiembre de 2024, 20:59:59

.- Operating System:
CentOS 6 [x86_64]
2.6.32-696.6.3.el6.x86_64

You are using a very old version. Please upgrade and check if it's working.

Hi . Thanks for your reply. I've installed the latest version from your site.

[DBG] ALL_MSG = \n SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)
[DBG] number of errors = 1
SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)|days_chain_elem1=320;20;15;;

.- Command used:
[root@foprd01nagiosin libexec]# check_ssl_cert-2.76.0/check_ssl_cert -f /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt -d -c 15 -w 20 -H 'sigges-training.fonasa.cl' -r "/etc/ssl/certs/" -A --ignore-ocsp

[DBG] Converting 15 days into seconds by shell function
[DBG] Converted 15 days into seconds: 1296000
[DBG] Converting 20 days into seconds by shell function
[DBG] Converted 20 days into seconds: 1728000
[DBG] check_ssl_cert version: 2.76.0
[DBG] System info: Linux foprd01nagiosin.fonasa.local 2.6.32-696.6.3.el6.x86_64 #1 SMP Wed Jul 12 14:17:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[DBG] User: root
[DBG] Shell: /bin/bash
[DBG] GNU bash, versión 4.1.2(2)-release (x86_64-redhat-linux-gnu)
[DBG] Copyright (C) 2009 Free Software Foundation, Inc.
[DBG] Licencia GPLv3+: GPL de GNU versión 3 o posterior http://gnu.org/licenses/gpl.html
[DBG]
[DBG] Esto es software libre; usted es libre de cambiarlo y redistribuirlo.
[DBG] NO hay GARANTÍA, a la extensión permitida por la ley.
[DBG] grep: /bin/grep
[DBG] /bin/grep (GNU grep) 2.20
[DBG] Copyright (C) 2014 Free Software Foundation, Inc.
[DBG] Licencia GPLv3+: GPL de GNU versión 3 o posterior
[DBG] http://gnu.org/licenses/gpl.html
[DBG] Esto es software libre: usted es libre de cambiarlo y redistribuirlo.
[DBG] No hay NINGUNA GARANTÍA, hasta donde permite la ley.
[DBG] Escrito por Mike Haertel y otros, véase http://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS.
[DBG] hostname: /bin/hostname
[DBG] $PATH: /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
[DBG] Command line arguments: -f /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt -d -c 15 -w 20 -H sigges-training.fonasa.cl -r /etc/ssl/certs/ -A --ignore-ocsp
[DBG] TMPDIR = /tmp
[DBG] Required HTTP headers:
[DBG] Unrequired HTTP headers:
[DBG] curl binary not needed. SSL Labs = , OCSP =
[DBG] Proxy settings (after):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] s_client =
[DBG] curl =
[DBG] Checking if the host is listed in /etc/hosts
[DBG] Host not found in /etc/hosts: checking DNS
[DBG] Checking if the host (sigges-training.fonasa.cl) exists
[DBG] HOST = sigges-training.fonasa.cl
[DBG] SNI =
[DBG] HOST_NAME = sigges-training.fonasa.cl
[DBG] HOST_ADDR = sigges-training.fonasa.cl
[DBG] NAMES_TO_BE_CHECKED =
[DBG] Checking if sigges-training.fonasa.cl is an IP address
[DBG] sigges-training.fonasa.cl is not an IP address
[DBG] HOST_IS_IP. = 0
[DBG] NAMES_TO_BE_CHECKED =
[DBG] Root CA option = -CApath /etc/ssl/certs/
[DBG] /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt is an URI with an authority
[DBG] -c specified: 15
[DBG] -w specified: 20
[DBG] Executing comparison '1728000 < 1296000' (precision 0)
[DBG] bc result = 0
[DBG] returning 1
[DBG] ROOT_CA = -CApath /etc/ssl/certs/
[DBG] mktemp available: /bin/mktemp
[DBG] file version: file-5.04
[DBG] magic file from /etc/magic:/usr/share/misc/magic
[DBG] nmap binary not specified
[DBG] nmap available: /usr/bin/nmap
[DBG] Checking IPs: host sigges-training.fonasa.cl
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
[DBG] checking date version
[DBG] date computation type: GNU
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL info:
[DBG] OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] built on: Wed Mar 22 21:43:28 UTC 2017
[DBG] platform: linux-x86_64
[DBG] options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
[DBG] compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
[DBG] OPENSSLDIR: "/etc/pki/tls"
[DBG] engines: rdrand dynamic
[DBG] OpenSSL configuration directory: /etc/pki/tls
[DBG] 171 root certificates installed by default
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername sigges-training.fonasa.cl
[DBG] Proxy settings (before):
[DBG] http_proxy =
[DBG] https_proxy =
[DBG] HTTP_PROXY =
[DBG] HTTPS_PROXY =
[DBG] HOST_HEADER = sigges-training.fonasa.cl
[DBG] Sanity checks: OK
[DBG] temporary file /tmp/fRABZc created
[DBG] temporary file /tmp/HY1u9T created
[DBG] temporary file /tmp/UhJY3P created
[DBG] temporary file /tmp/nrIgWK created
[DBG] temporary file /tmp/8fKKHD created
[DBG] Temporary files created
[DBG] sigges-training.fonasa.cl is not an IP address
[DBG] fetch_certificate: PROTOCOL =
[DBG] check if we have to convert the file /usr/local/nagios/libexec/check_ssl_cert-2.76.0/sigges-training.fonasa.cl.crt to PEM
[DBG] certificate type (1): ASCII text, with CRLF line terminators
[DBG] temporary file /tmp/VuZlaw created
[DBG] Copying the certificate to /tmp/fRABZc
[DBG] storing the certificate to /tmp/fRABZc
[DBG] certificate type (2): ASCII text, with CRLF line terminators
[DBG] Certificate does not contain any intermediates, checking the chain will probably fail.
[DBG] verifying the certificate
[DBG] /usr/bin/openssl verify -CApath /etc/ssl/certs/ /tmp/fRABZc 2> /tmp/HY1u9T 1>&2
[DBG] Return value of the command = 2
[DBG] MESSAGE_TMP=
[DBG] SSL error: /tmp/fRABZc: 1.3.6.1.4.1.311.60.2.1.3 = CL, businessCategory = Government entity, serialNumber = Government Entity, C = CL, L = Santiago, O = FONDO NACIONAL DE SALUD, CN = sigges-training.fonasa.cl
[DBG] SSL error: error 20 at 0 depth lookup:unable to get local issuer certificate
[DBG] CRITICAL ----------------------------------------
[DBG] prepend_critical_message: new message = Error verifying the certificate chain (missing local issuer certificate)
[DBG] prepend_critical_message: CRITICAL_MSG =
[DBG] prepend_critical_message: ALL_MSG 1 =
[DBG] prepend_critical_message: MSG 2 = SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)
[DBG] prepend_critical_message: CRITICAL_MSG 2 = SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)
[DBG] prepend_critical_message: ALL_MSG 2 = \n SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)
[DBG] CRITICAL ----------------------------------------
[DBG] openssl_version 3.0.0
[DBG] Checking if OpenSSL version is at least 3.0.0 ( '3' '0' '0' ':0' )
[DBG] openssl version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] Current version 1.0.1e ( '1' '0' '1' 'e:101' )
[DBG] false
[DBG] extracting cert attribute enddate
[DBG] extracting cert attribute startdate
[DBG] extracting cert attribute cn
[DBG] extracting cert attribute subject
[DBG] SUBJECT = subject= 1.3.6.1.4.1.311.60.2.1.3 = CL, businessCategory = Government entity, serialNumber = Government Entity, C = CL, L = Santiago, O = FONDO NACIONAL DE SALUD, CN = sigges-training.fonasa.cl
[DBG] extracting cert attribute serial
[DBG] SERIAL = 0E479947CE2B0244436F02B9AAAEE87C
[DBG] extracting cert attribute version
[DBG] X509_VERSION = 3 (0x2)
[DBG] extracting cert attribute fingerprint
[DBG] FINGERPRINT = A2:72:29:D6:76:EF:42:FE:D2:26:2A:00:BB:41:17:01:18:90:8B:1B
[DBG] Checking if x509 supports the -ext option
[DBG] extracting cert attribute oscp_uri_single
[DBG] extracting cert attribute oscp_uri
[DBG] OCSP_URI = http://ocsp.digicert.com
[DBG] Extracting issuers
[DBG] Number of certificates in the chain: 1
[DBG] Checking certificate chain
[DBG] extracting issuer for element 1
[DBG] extracting cert attribute issuer
[DBG] ELEMENT_ISSUER=DigiCert Inc
[DBG] ELEMENT_ISSUER=GeoTrust EV RSA CA G2
[DBG] ISSUERS=DigiCert Inc
[DBG] ISSUERS=GeoTrust EV RSA CA G2
[DBG] Certificate chain check finished
[DBG] ISSUERS =
[DBG] DigiCert Inc
[DBG] GeoTrust EV RSA CA G2
[DBG] extracting cert attribute issuer_uri_single
[DBG] extracting cert attribute issuer_uri
[DBG] extracting cert attribute pub_key_algo
[DBG] extracting cert attribute sig_algo
[DBG] subject= 1.3.6.1.4.1.311.60.2.1.3 = CL, businessCategory = Government entity, serialNumber = Government Entity, C = CL, L = Santiago, O = FONDO NACIONAL DE SALUD, CN = sigges-training.fonasa.cl
[DBG] CN = sigges-training.fonasa.cl
[DBG] CA = DigiCert Inc
[DBG] CA = GeoTrust EV RSA CA G2
[DBG] SERIAL = 0E479947CE2B0244436F02B9AAAEE87C
[DBG] FINGERPRINT= A2:72:29:D6:76:EF:42:FE:D2:26:2A:00:BB:41:17:01:18:90:8B:1B
[DBG] OCSP_URI = http://ocsp.digicert.com
[DBG] ISSUER_URI = http://cacerts.digicert.com/GeoTrustEVRSACAG2.crt
[DBG] rsaEncryption sha256WithRSAEncryption
[DBG] extracting cert attribute subjectAlternativeName
[DBG] subjectAlternativeName = sigges-training.fonasa.cl
[DBG] Checking expiration date
[DBG] Number of certificates in CA chain: 1
[DBG] ------------------------------------------------------------------------------
[DBG] -- Checking element 1
[DBG] extracting cert attribute cn
[DBG] Checking expiration date of element 1 (sigges-training.fonasa.cl)
[DBG] extracting cert attribute enddate
[DBG] Validity date on cert element 1 (sigges-training.fonasa.cl) is Sep 24 23:59:59 2024 GMT
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Sep 24 23:59:59 2024 GMT' with GNU
[DBG] Computing '(1727222399-1699531761)/3600' (precision 0)
[DBG] Hours until Sep 24 23:59:59 2024 GMT: 7691
[DBG] Computing '7691/24' (precision 0)
[DBG] Computing '7691 * 3600' (precision 0)
[DBG] Adding line to prometheus days output: cert_days_chain_elem{cn="sigges-training.fonasa.cl", element="1"} 320
[DBG] valid for 320 days
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 0 on cert element 1 (sigges-training.fonasa.cl)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1296000 on cert element 1 (sigges-training.fonasa.cl)
[DBG] executing: /usr/bin/openssl x509 -noout -checkend 1728000 on cert element 1
[DBG] Adding line to prometheus validity output: cert_valid_chain_elem{cn="sigges-training.fonasa.cl", element="1"} 0
[DBG] ------------------------------------------------------------------------------
[DBG] Checking OCSP status of element 1
[DBG] temporary file /tmp/U2p4xW created
[DBG] Storing the chain element in /tmp/U2p4xW
[DBG] ------------------------------------------------------------------------------
[DBG] extracting cert attribute email
[DBG] EMAIL =
[DBG] openssl_version 1.1.0
[DBG] Checking if OpenSSL version is at least 1.1.0 ( '1' '1' '0' ':0' )
[DBG] openssl version: 1.0.1e
[DBG] Current version 1.0.1e ( '1' '0' '1' 'e:101' )
[DBG] false
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Sep 24 23:59:59 2024 GMT' with GNU
[DBG] Computing '(1727222399-1699531761)/3600' (precision 0)
[DBG] Hours until Sep 24 23:59:59 2024 GMT: 7691
[DBG] Date computations: GNU
[DBG] Computing number of hours until 'Sep 22 00:00:00 2023 GMT' with GNU
[DBG] Computing '(1695340800-1699531761)/3600' (precision 0)
[DBG] Hours until Sep 22 00:00:00 2023 GMT: -1164
[DBG] Computing '(7691 - -1164)/24' (precision 0)
[DBG] cleaning up temporary files
[DBG] /tmp/fRABZc /tmp/HY1u9T /tmp/UhJY3P /tmp/nrIgWK /tmp/8fKKHD /tmp/VuZlaw /tmp/U2p4xW
[DBG] exiting with CRITICAL
[DBG] ALL_MSG = \n SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)
[DBG] number of errors = 1
SSL_CERT CRITICAL sigges-training.fonasa.cl:443: Error verifying the certificate chain (missing local issuer certificate)|days_chain_elem1=320;20;15;;
[root@foprd01nagiosin libexec]#

The server is not responding to the default HTTPS port (443).

corti@macbookpro ~> sudo nmap -Pn sigges-training.fonasa.cl
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-09 12:57 CET
Nmap scan report for sigges-training.fonasa.cl (190.215.211.7)
Host is up (0.022s latency).
rDNS record for 190.215.211.7: static.190.215.211.7.gtdinternet.com
Not shown: 996 filtered tcp ports (no-response)
PORT    STATE  SERVICE
113/tcp closed ident
139/tcp closed netbios-ssn
179/tcp open   bgp
445/tcp closed microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 22.58 seconds
corti@macbookpro ~> telnet sigges-training.fonasa.cl 443
Trying 190.215.211.7...

If the plugin cannot connect the certificate cannot be retrieved.

Thanks a lot Matteo for your reply and assistance .. I fixed it finally.

I used the line below and did work :

check_ssl_cert-2.76.0/check_ssl_cert -f "/usr/local/nagios/libexec/check_ssl_cert-2.76.0/reportespercapita.fonasa.cl.crt" -d --debug-cert -c 15 -w 20 -H 'reportespercapita.fonasa.cl' -r "/usr/local/nagios/libexec/check_ssl_cert-2.76.0/" -A --ignore-ocsp --ignore-incomplete-chain

[DBG] output parameters: STATUS = OK
[DBG] output parameters: CA_ISSUER_MATCHED = GlobalSign nv-sa
[DBG] output parameters: CHECKEDNAMES =
[DBG] output parameters: CN = reportespercapita.fonasa.cl
[DBG] output parameters: DATE = Oct 5 21:11:01 2024 GMT
[DBG] output parameters: DAYS_VALID = (expires in 331 days)
[DBG] output parameters: DYSPLAY_CN = 'reportespercapita.fonasa.cl'
[DBG] output parameters: OPENSSL_COMMAND = x509
[DBG] output parameters: SELFSIGNEDCERT =
[DBG] output parameters: SHORTNAME = SSL_CERT
[DBG] output parameters: OCSP_EXPIRES_IN_HOURS =
[DBG] output parameters: SSL_LABS_HOST_GRADE =
[DBG] output parameters: PROTOCOL = https
SSL_CERT OK - reportespercapita.fonasa.cl:443, https, x509 certificate 'reportespercapita.fonasa.cl' from 'GlobalSign nv-sa' valid until Oct 5 21:11:01 2024 GMT (expires in 331 days)|days_chain_elem1=331;20;15;;

Best Regards.