Expiry warning breaks when insecure option is used

Question

Expiry warning breaks when insecure option is used

cronnelly opened this issue 8 years ago · 12 comments

The wrong expiry date is calculated when the -k (insecure) option is passed in. This then breaks expiry warning functionality.

For example:

/opt/sensu/embedded/bin/ruby check-http.rb -s -e 10000 -u 'https://www.google.com/'
CheckHttp WARNING: Certificate will expire 2017-05-17 08:58:00 UTC

And then with -k:

/opt/sensu/embedded/bin/ruby check-http.rb -s -e 10000 -u 'https://www.google.com/' -k
CheckHttp WARNING: Certificate will expire 2018-08-21 04:00:00 UTC

Answer 1 · 2017-05-09T02:59:03.000Z

That is very interesting indeed. I have replicated at least partial issue against master:

$ ./bin/check-http.rb -s -e 1000 -u https://sensuapp.org
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

$ ./bin/check-http.rb -s -k -e 1000 -u https://sensuapp.org
CheckHttp OK: 200, 147557 bytes

Answer 2 · 2017-05-09T03:02:13.000Z

Whats strange that other than its declaration the only place I see it used is here: https://github.com/sensu-plugins/sensu-plugins-http/blob/2.0.2/bin/check-http.rb#L248

Answer 3 · 2017-05-09T03:09:11.000Z

I verified that this does not change depending on the option: https://github.com/sensu-plugins/sensu-plugins-http/blob/2.0.2/bin/check-http.rb#L251

Answer 4 · 2017-05-09T03:13:45.000Z

Here is where its actually warning: https://github.com/sensu-plugins/sensu-plugins-http/blob/2.0.2/bin/check-http.rb#L297-L299 I validated that the presence or lack of -k does modify the value of warn_cert_expire and returns nil rather than the time object we expect.

Answer 5 · 2017-05-09T03:33:51.000Z

I notice an unrelated bug:
we use expire_warn_date = Time.now + (config[:expiry] * 60 * 60 * 24) which returns in local time yet the datetime object returned back is in UTC and can be fixed by using expire_warn_date = Time.now.utc + (config[:expiry] * 60 * 60 * 24)

Answer 6 · 2017-05-09T04:42:18.000Z

I can get it fail with self signed cert:

$ ./bin/check-http.rb -k -s -e 1118 -u https://sensuapp.org
"#################"
"preverify_ok:     false"
"expire_warn_date: 2020-05-31 04:41:42 UTC"
"ssl_context:      2073956768635082639"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is less than 2020-05-31 04:41:42 UTC"
2020-05-30 10:48:38 UTC
CheckHttp WARNING: Certificate will expire 2020-05-30 10:48:38 UTC

And it passing:

$ ./bin/check-http.rb -k -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     false"
"expire_warn_date: 2020-05-30 04:42:23 UTC"
"ssl_context:      -3923783692178329667"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 04:42:23 UTC"
nil
CheckHttp OK: 200, 147557 bytes

Answer 7 · 2017-05-09T04:45:28.000Z

using the same thresholds both fail:

$ ./bin/check-http.rb -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      -2011395565126727710"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 04:43:14 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      777758307400937002"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 04:43:14 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      217984350180844890"
"expires:          2029-02-11 23:59:59 UTC"
"2029-02-11 23:59:59 UTC is greater than 2020-05-30 04:43:14 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      1108742464139091790"
"expires:          2019-06-02 23:59:59 UTC"
"2019-06-02 23:59:59 UTC is less than 2020-05-30 04:43:14 UTC"
2019-06-02 23:59:59 UTC
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

$ ./bin/check-http.rb -s -e 1118 -u https://sensuapp.org
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      -2025936412499420192"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is less than 2020-05-31 04:43:33 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      3906575624049521192"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is less than 2020-05-31 04:43:33 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      1171332554718302776"
"expires:          2029-02-11 23:59:59 UTC"
"2029-02-11 23:59:59 UTC is greater than 2020-05-31 04:43:33 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      942514266819725152"
"expires:          2019-06-02 23:59:59 UTC"
"2019-06-02 23:59:59 UTC is less than 2020-05-31 04:43:33 UTC"
2019-06-02 23:59:59 UTC
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

Answer 8 · 2017-05-09T04:46:35.000Z

looks like one of the certs are set to expire and my guess would be an intermediate cert but I have not verified this. I will try to take a look tomorrow if I have some time.

Answer 9 · 2017-05-09T05:07:20.000Z

Looks like its comodos (in this case) that makes it fail with the full chain:

$ ./bin/check-http.rb -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 05:02:43 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 05:02:43 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority"
"expires:          2029-02-11 23:59:59 UTC"
"2029-02-11 23:59:59 UTC is greater than 2020-05-30 05:02:43 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA"
"expires:          2019-06-02 23:59:59 UTC"
"2019-06-02 23:59:59 UTC is less than 2020-05-30 05:02:43 UTC"
2019-06-02 23:59:59 UTC
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

Where as the cert itself does not:

$ ./bin/check-http.rb -k -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     false"
"expire_warn_date: 2020-05-30 05:02:27 UTC"
"ssl_context:      /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 05:02:27 UTC"
nil
CheckHttp OK: 200, 147557 bytes

Answer 10 · 2017-05-09T05:08:55.000Z

@cronnelly can you verify the same behavior running the equivalent commands against your env?
I have pushed the debug statements that will give you similar output to above: https://github.com/sensu-plugins/sensu-plugins-http/blob/feature/debug-self-signed/bin/check-http.rb

Answer 11 · 2017-05-11T07:09:28.000Z

@cronnelly you might consider using the sensu-plugins-ssl checks as they are more geared towards this. I do see there is an option to skip the chain verification: https://github.com/sensu-plugins/sensu-plugins-ssl/blob/master/bin/check-ssl-host.rb#L96 even if we dont fix this I would certainly like to document it this behavior and recommendations.

Answer 12 · 2017-05-11T07:12:21.000Z

I spoke with @eheydrick about this I don't see anyone "fixing" this unless you want to donate one. I will put together a pr to document this though as it's certainly a gotcha.