Package: monitoring-plugins-contrib
Version: 35.20210512
Severity: normal
Tags: patch
check_ssl_cert can be called with a local file and it will check the
certificate (chain) contained in that file.
To figure out the format, it will call /usr/bin/file on the input file,
and grep its output. if file says "data", the contents are assumed to
be in DER format and the checking script attempts to convert it.
However, if the file*name* already contains data, this will also
trigger.
} # file data.pem
} data.pem: PEM certificate
} # file data.pem | grep -E -q '(data|Certificate)' && echo 'clearly a DER
file, right?'
} clearly a DER file, right?
| # sudo -u nagios ./check_ssl_cert_file -H localhost --ignore-ocsp -c 10 -w 20
-f ./data.pem -n data.example.com
| unable to load certificate
| 139687717052480:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong
tag:../crypto/asn1/tasn_dec.c:1148:
| 139687717052480:error:0D07803A:asn1 encoding
routines:asn1_item_embed_d2i:nested asn1
error:../crypto/asn1/tasn_dec.c:308:Type=X509
| unable to load CRL
| 139951627083840:error:0D07207B:asn1 encoding routines:ASN1_get_object:header
too long:../crypto/asn1/asn1_lib.c:101:
| Invalid command ''; type "help" for a list.
| unable to load certificate
| 140600045199424:error:0906D06C:PEM routines:PEM_read_bio:no start
line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| unable to load certificate
| 140140866662464:error:0906D06C:PEM routines:PEM_read_bio:no start
line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| unable to load certificate
| 140645747900480:error:0906D06C:PEM routines:PEM_read_bio:no start
line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| unable to load certificate
| 139760670384192:error:0906D06C:PEM routines:PEM_read_bio:no start
line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| Invalid command ''; type "help" for a list.
| Invalid command ''; type "help" for a list.
| Invalid command ''; type "help" for a list.
| Invalid command ''; type "help" for a list.
| unable to load certificate
| 140287147626560:error:0906D06C:PEM routines:PEM_read_bio:no start
line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| SSL_CERT CRITICAL ./data.pem: './data.pem' is not a valid certificate file
| Error(s):
| SSL_CERT CRITICAL : Cannot find Signed Certificate Timestamps (SCT)
| SSL_CERT CRITICAL : invalid CN ('CN unavailable' does not match
'data.example.com')
| SSL_CERT CRITICAL ./data.pem: './data.pem' is not a valid certificate file
One fix is to call file with --brief:
} # file --brief data.pem
} PEM certificate
| # sudo -u nagios ./check_ssl_cert_file.new -H localhost --ignore-ocsp -c 10
-w 20 -f ./data.pem -n data.example.com
| SSL_CERT OK - x509 certificate 'data.example.com' from 'R3' valid until [...]
Patch attached.
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/
--- check_ssl_cert_file.orig 2021-09-30 09:43:17.069332490 +0200
+++ check_ssl_cert_file 2021-09-30 09:44:15.509147025 +0200
@@ -941,7 +941,7 @@
exec_with_timeout "${CURL_BIN} ${CURL_PROXY} ${CURL_PROXY_ARGUMENT} ${INETPROTO} --silent --location \\\"${ELEMENT_ISSUER_URI}\\\" > ${ISSUER_CERT_TMP}"
fi
- debuglog "OCSP: issuer certificate type (1): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ debuglog "OCSP: issuer certificate type (1): $(${FILE_BIN} --brief "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
if echo "${ELEMENT_ISSUER_URI}" | grep -F -q 'p7c' ; then
debuglog "OCSP: converting issuer certificate from PKCS #7 to PEM"
@@ -952,12 +952,12 @@
fi
- debuglog "OCSP: issuer certificate type (2): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ debuglog "OCSP: issuer certificate type (2): $(${FILE_BIN} --brief "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
# check the result
- if ! "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q ': (ASCII|PEM)' ; then
+ if ! "${FILE_BIN}" --brief "${ISSUER_CERT_TMP}" | grep -E -q ': (ASCII|PEM)' ; then
- if "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q '(data|Certificate)' ; then
+ if "${FILE_BIN}" --brief "${ISSUER_CERT_TMP}" | grep -E -q '(data|Certificate)' ; then
debuglog "OCSP: converting issuer certificate from DER to PEM"
@@ -965,7 +965,7 @@
${OPENSSL} x509 -inform DER -outform PEM -in "${ISSUER_CERT_TMP2}" -out "${ISSUER_CERT_TMP}"
- elif "${FILE_BIN}" "${ISSUER_CERT_TMP}" | grep -E -q 'empty' ; then
+ elif "${FILE_BIN}" --brief "${ISSUER_CERT_TMP}" | grep -E -q 'empty' ; then
# empty certs are allowed
debuglog "OCSP empty certificate detected: skipping"
@@ -973,7 +973,7 @@
else
- debuglog "OCSP: complete issuer certificate type $( ${FILE_BIN} "${ISSUER_CERT_TMP}" )"
+ debuglog "OCSP: complete issuer certificate type $( ${FILE_BIN} --brief "${ISSUER_CERT_TMP}" )"
unknown "Unable to fetch a valid certificate issuer certificate."
@@ -981,7 +981,7 @@
fi
- debuglog "OCSP: issuer certificate type (3): $(${FILE_BIN} "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
+ debuglog "OCSP: issuer certificate type (3): $(${FILE_BIN} --brief "${ISSUER_CERT_TMP}" | sed 's/.*://' )"
if [ -n "${DEBUG_CERT}" ] ; then
@@ -1392,7 +1392,7 @@
if [ "${HOST_NAME}" = "localhost" ] ; then
debuglog "check if we have to convert the file ${FILE} to PEM"
- debuglog "certificate type (1): $(${FILE_BIN} "${FILE}" | sed 's/.*://' )"
+ debuglog "certificate type (1): $(${FILE_BIN} --brief "${FILE}" | sed 's/.*://' )"
if echo "${FILE}" | grep -q -E '[.](p12|pfx)$' ; then
@@ -1412,7 +1412,7 @@
unknown "Error converting ${FILE}: $( head -n 1 "${PKCS12_ERROR}" ) "
fi
- elif "${FILE_BIN}" "${FILE}" | grep -q -E '(data|Certificate)' ; then
+ elif "${FILE_BIN}" --brief "${FILE}" | grep -q -E '(data|Certificate)' ; then
debuglog 'converting DER to PEM'
"${OPENSSL}" x509 -inform der -in "${FILE}" -out "${CERT}"
@@ -1426,7 +1426,7 @@
fi
debuglog "storing the certificate to ${CERT}"
- debuglog "certificate type (2): $(${FILE_BIN} "${CERT}" | sed 's/.*://' )"
+ debuglog "certificate type (2): $(${FILE_BIN} --brief "${CERT}" | sed 's/.*://' )"
else
unknown "Error: option 'file' works with -H localhost only"
