Error Handling with Expired CA cert in local trust
grimz-ly opened this issue · 1 comments
Describe the bug
If check has an issue with URL and CA bundle on host doing the check contains an expired root certificate, error checking outputs OK.
To Reproduce
example: check against a site where the certificate chain is incomplete
Script run from host where CA bundle is OK, will output
SSL_CERT CRITICAL example-host:443: Cannot verify certificate: unable to get local issuer certificate
unable to verify the first certificate|days_chain_elem1=76;20;15;;
Script fun from host where trusted CA is expired in local CA bundle outputs
SSL_CERT OK
Expected behavior
Using the --debug flag it clearly makes note that the CA cert is expired from the openssl check performed, but moves along and the check results in OK despite the cert chain being incomplete. Basically just looking for better error handling for this scenario.
Have also seen it output 'SSL_CERT CRITICAL host.example.com:8081: SSL error: socket: Bad file descriptor' when service is unavailable on port being checked. On host w/ good CA bundle, it simply outputs 'Cannot connect to host.example.com on port 8081'. So in that case, the opposite happens in a manner.
System (please complete the following information):
- OS: redhat
- OS version: 7.9
- check_ssl_cert version: 2.78.0
- OpenSSL version (
openssl version
): 1.0.2k-fips
Additional context/output
Add any other context or output (e.g., from check_ssl_cert -d -v
) about the problem here.
Is there a public host that I can use for a test? Would it be possible to get the debugging output?