[Pkg-nagios-devel] Bug#880743: nagios-plugins-contrib: check_ssl_cert can't use -servername option of openssl s_client
Johan Fleury
jfleury at arcaik.net
Sat Nov 4 17:43:15 UTC 2017
Package: nagios-plugins-contrib
Version: 21.20170222
Severity: important
Dear Maintainer,
The check_ssl_cert plugin of nagios-plugins-contrib can't use TLS SNI
due to a bug in the way it detects available options of `openssl
s_client`.
It use a fake option when running `openssl s_client` to check the output
for the correct options. Here is the comment that explains this
behaviour:
927 ################################################################################
928 # Check if openssl s_client supports the -servername option
929 #
930 # openssl s_client does not have a -help option
931 # => We supply an invalid command line option to get the help
932 # on standard error
933 #
This bug appears because the Debian Stretch's version of openssl now
have a `-help` option:
# openssl s_client not_a_real_option
s_client: Use -help for summary.
# openssl s_client -help
Usage: s_client [options]
Valid options are:
...
Here is the output of check_ssl_cert on one of my domain that requires
SNI:
# /usr/lib/nagios/plugins/check_ssl_cert -v -H arcaik.net
expect not available
timeout available (/usr/bin/timeout)
found GNU date with timestamp support: enabling date computations
'/usr/bin/openssl s_client' does not support '-servername': disabling
virtual server support
downloading certificate to /tmp
parsing the certificate file
cannot find the CA Issuers in the certificate: disabling OCSP checks
The certificate will expire in 3649 day(s)
SSL_CERT CRITICAL subject=CN = vps01.br0.fr: Cannot verify
certificate, self signed certificate|days=3649;;;;
I can't use this version of check_ssl_cert to monitor my certs anymore.
Is it possible to fix the script for the stable distribution? I already
have a work around but I would rather use the Debian shipped plugins.
Best regards
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
nagios-plugins-contrib depends on no packages.
Versions of packages nagios-plugins-contrib recommends:
ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u3
pn binutils <none>
pn freeipmi-tools <none>
ii libc6 2.24-11+deb9u1
pn libdata-validate-domain-perl <none>
pn libdata-validate-ip-perl <none>
pn libdate-manip-perl <none>
pn libdbd-mysql-perl <none>
pn libio-socket-ssl-perl <none>
pn libipc-run-perl <none>
ii liblocale-gettext-perl 1.07-3+b1
pn liblwp-useragent-determined-perl <none>
pn libmail-imapclient-perl <none>
pn libmemcached11 <none>
pn libmemcachedutil2 <none>
ii libmonitoring-plugin-perl 0.39-1
pn libnet-cups-perl <none>
ii libnet-dns-perl 1.07-1
pn libnet-dns-sec-perl <none>
pn libnet-smtp-ssl-perl <none>
pn libnet-smtp-tls-perl <none>
pn libnet-smtpauth-perl <none>
pn libnet-snmp-perl <none>
pn libnet-ssleay-perl <none>
pn libreadonly-perl <none>
pn libredis-perl <none>
pn libtimedate-perl <none>
pn libvarnishapi1 <none>
pn libwebinject-perl <none>
pn libxml-simple-perl <none>
pn libyaml-syck-perl <none>
ii lsof 4.89+dfsg-0.1
pn nagios-plugins-basic <none>
ii openssl 1.1.0f-3+deb9u1
ii perl 5.24.1-3+deb9u2
ii perl-base [libsocket-perl] 5.24.1-3+deb9u2
ii python 2.7.13-2
pn python-pymongo <none>
ii ruby 1:2.3.3
ii snmp 5.7.3+dfsg-1.7
ii whois 5.2.17~deb9u1
Versions of packages nagios-plugins-contrib suggests:
pn backuppc <none>
pn cciss-vol-status <none>
pn expect <none>
pn libsys-virt-perl <none>
pn moreutils <none>
pn mpt-status <none>
pn nagios-plugin-check-multi <none>
pn percona-toolkit <none>
pn perl-doc <none>
ii python2.7 2.7.13-2
pn smstools <none>
-- no debconf information
More information about the Pkg-nagios-devel
mailing list