[Pkg-nagios-devel] Bug#995347: check_ssl_cert: needs to call file with --brief

Peter Palfrader weasel at debian.org
Thu Sep 30 08:47:18 BST 2021 

Package: monitoring-plugins-contrib
Version: 35.20210512
Severity: normal
Tags: patch

check_ssl_cert can be called with a local file and it will check the
certificate (chain) contained in that file.

To figure out the format, it will call /usr/bin/file on the input file,
and grep its output.  if file says "data", the contents are assumed to
be in DER format and the checking script attempts to convert it.

However, if the file*name* already contains data, this will also
trigger.

} # file data.pem
} data.pem: PEM certificate

} # file data.pem | grep -E -q '(data|Certificate)'  && echo 'clearly a DER file, right?'
} clearly a DER file, right?


| # sudo -u nagios ./check_ssl_cert_file -H localhost --ignore-ocsp -c 10 -w 20 -f ./data.pem -n data.example.com
| unable to load certificate
| 139687717052480:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1148:
| 139687717052480:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:308:Type=X509
| unable to load CRL
| 139951627083840:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:
| Invalid command ''; type "help" for a list.
| unable to load certificate
| 140600045199424:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| unable to load certificate
| 140140866662464:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| unable to load certificate
| 140645747900480:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| unable to load certificate
| 139760670384192:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| Invalid command ''; type "help" for a list.
| Invalid command ''; type "help" for a list.
| Invalid command ''; type "help" for a list.
| Invalid command ''; type "help" for a list.
| unable to load certificate
| 140287147626560:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE
| SSL_CERT CRITICAL ./data.pem: './data.pem' is not a valid certificate file
| Error(s):
|     SSL_CERT CRITICAL : Cannot find Signed Certificate Timestamps (SCT)
|     SSL_CERT CRITICAL : invalid CN ('CN unavailable' does not match 'data.example.com')
|     SSL_CERT CRITICAL ./data.pem: './data.pem' is not a valid certificate file

One fix is to call file with --brief:

} # file --brief data.pem 
} PEM certificate

| # sudo -u nagios ./check_ssl_cert_file.new -H localhost --ignore-ocsp -c 10 -w 20 -f ./data.pem -n data.example.com
| SSL_CERT OK - x509 certificate 'data.example.com' from 'R3' valid until [...]

Patch attached.
-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: check_ssl_cert_file.diff
Type: text/x-diff
Size: 3958 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-nagios-devel/attachments/20210930/ebbfa023/attachment.diff>

More information about the Pkg-nagios-devel mailing list