Verifying SANS are present

[jax7778]

Hello,

We recently upgraded our Nagios installation, and as part we updated the copy of this plugin. The changes made (it had been quite a while since it was last updated) seem to have broken our check.

The goal of this check is to verify that the correct SANs are present on the current certificate. I know this is a bit of an odd check, but the last 3 times the cert has been replaced a crucial SAN has been left out, causing issues on our main site. The results of the current check appear to be that only the last SAN mentioned, www.SAN4.com in this case, is the one checked. Any help is greatly appreciated. Thanks in advance.

Here is an example with specific information removed:
check_ssl_cert -H $HOSTADDRESS$ -p 443 -n *.SAN1.edu -n SAN1.edu -n SAN2.com -n www.SAN2.com -n SAN3.com -n www.SAN3.com -n SAN4.com -n www.SAN4.com --ignore-exp --altnames --format "%SHORTNAME% OK %DISPLAY_CN%%CHECKEDNAMES%"

[matteocorti]

Hi

There is a bug ...

I'll check

Matteo

[matteocorti]

Bug fixed in the latest release: can you please test?

[jax7778]

Thanks so much for getting back to me, and for looking into the issue. I didn't catch this until now, but I will check it on Monday when I am back in the office.

[jax7778]

Well, now we are getting an error that the hostname does not match the CN, which in a way is great. In the command in the first post, the error reads. $HOSTADDRESS$ does not match *.SAN1.edu, adding in a backslash. If I remove *.SAN1.edu then the error clears, and the command appears to work as intended!

So the issue is mostly resolved. The only remaining issue is that it doesn't seem to be able to correctly interpret the wildcard cert, but other than that it appears to be working as intended. I thought the asterisk needed to be escape, but I tried the standard escape but it did not resolve the error. Any suggestions are greatly appreciated.

Thanks so much for working on this issue.

[matteocorti]

Thanks. I reopened the issue. Do you have an example to test?

[matteocorti]

I am unable to reproduce the problem:

$  ./check_ssl_cert -H sp.ethz.ch -n '*.sp.ethz.ch' -n sherlock.sp.ethz.ch --ignore-exp --altnames --format "%SHORTNAME% OK %DISPLAY_CN%%CHECKEDNAMES%"
SSL_CERT OK '*.sp.ethz.ch' (sp.ethz.ch *.sp.ethz.ch sherlock.sp.ethz.ch) 

If you prefer not to publish an example, you can send it to me in private (although I don't really understand why a hostname with an HTTP server should be kept private). You can use: [email protected]

[jax7778]

Nagios is running on RHEL 7. We should be able to get that OpenSSL version upgraded. That is the full output.

[matteocorti]

Ok. It's a RHEL backported version. I'll check on Centos 7.

[matteocorti]

I just checked on a RHEL 7 machine and cannot reproduce.

• which version of check_ssl_cert are you running (check_ssl_cert --version)
• the debugging output is very strange as several parts are missing, can you please try to generate it with the --debug-file option?

[jax7778]

Sorry for this late reply.

Version: check_ssl_cert version 2.4.0

I noticed that you were on 2.4.1 . Updated to this version, same issue.

I an attempt to get you the full output of the debug command, I ran the command manually from terminal, and it worked without issue. It is still failing in Nagios, but since it works from terminal I am not sure how to proceed.

It keeps adding a backslash in front of the *.uco.edu address when ran from Nagios itself. such as "*.uco.edu" I can post the full output from the debug command from terminal, but since it shows successful, I am not sure how much assistance it would be.

***Edit After messing around with quotes, I got this to work. To get the command to pass properly I had to put two sets of single quotes around the wildcard SAN name like so ''*uco.edu'' does not work with two sets of double quotes.

Hopefully that information helps.

Thanks so much for all of your work on this.

[matteocorti]

This is a useful info.... Thanks!
I updated the README.md file