matteocorti/check_ssl_cert

Error Handling with Expired CA cert in local trust

grimz-ly opened this issue · 1 comments

Describe the bug
If check has an issue with URL and CA bundle on host doing the check contains an expired root certificate, error checking outputs OK.

To Reproduce
example: check against a site where the certificate chain is incomplete

Script run from host where CA bundle is OK, will output

SSL_CERT CRITICAL example-host:443: Cannot verify certificate: unable to get local issuer certificate
unable to verify the first certificate|days_chain_elem1=76;20;15;;

Script fun from host where trusted CA is expired in local CA bundle outputs

SSL_CERT OK

Expected behavior

Using the --debug flag it clearly makes note that the CA cert is expired from the openssl check performed, but moves along and the check results in OK despite the cert chain being incomplete. Basically just looking for better error handling for this scenario.

Have also seen it output 'SSL_CERT CRITICAL host.example.com:8081: SSL error: socket: Bad file descriptor' when service is unavailable on port being checked. On host w/ good CA bundle, it simply outputs 'Cannot connect to host.example.com on port 8081'. So in that case, the opposite happens in a manner.

System (please complete the following information):

  • OS: redhat
  • OS version: 7.9
  • check_ssl_cert version: 2.78.0
  • OpenSSL version (openssl version): 1.0.2k-fips

Additional context/output

Add any other context or output (e.g., from check_ssl_cert -d -v) about the problem here.

Is there a public host that I can use for a test? Would it be possible to get the debugging output?