Invoke-IcingaCheckCertificate forces you to check CertStore

[lazyfrosch]

I have a case where I want to check certificates by reading from a directory. This worked before with an older standalone version

In the current version $CertStore has a default value, and can not be $null, therefore the check will always check the certstore...

Example

PS> Invoke-IcingaCheckCertificate -CertPath C:\ProgramData\Icinga2\var\lib\icinga2\certs -CertName *.crt -WarningEnd 20d: -CriticalEnd 10d: -Verbosity 2
[CRITICAL] Certificates: 32 Critical 108 Ok .....
....
\_ [OK] Certificate 'host.example.com' (valid until 2022-11-12 : 302d) valid for: 302.88d
\_ [OK] Certificate 'host.example.com' at host.example.com.crt (valid until 2022-02-10 : 27d) valid for: 27.94d
\_ [CRITICAL] Certificate 'host' (valid until 2021-01-24 : -354d) valid for: -354.08d is lower than threshold 10d
\_ [CRITICAL] Certificate 'GlobalSign' (valid until 2021-12-15 : -29d) valid for: -29.24d is lower than threshold 10d
...
\_ [CRITICAL] Certificate 'www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign' (valid until 2016-10-25 : -1906d) valid for: -1906.53d is lower than threshold 10d
\_ [CRITICAL] Certificate 'www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign' (valid until 2016-10-25 : -1906d) valid for: -1906.53d is lower than threshold 10d

Workaround

Apparently setting -CertStorePath to something that does not exist works around the problem...

PS> Invoke-IcingaCheckCertificate -CertPath C:\ProgramData\Icinga2\var\lib\icinga2\certs -CertName *.crt -WarningEnd 20d: -CriticalEnd 10d: -Verbosity 2 -CertStorePath nonexisting
[OK] Certificates: 2 Ok
\_ [OK] Certificate 'host.example.com' at host.example.com.crt (valid until 2022-02-10 : 27d) valid for: 27.94d
\_ [OK] Certificate 'Example Corp CA' at ca.crt (valid until 2035-11-19 : 5057d) valid for: 5057.88d

[lazyfrosch]

Apparently introduced by 7a03ae2c677ea1a16d0ecb3a1234da8015dcfd81

Thoughts @LordHepipud ? 😉

[lazyfrosch]

cc @Crited

[LordHepipud]

I see the problem. The value $null or empty string in ValidateSet caused problems with the Basket generations, because the basket failed within the Icinga Director.

I could offer the following solutions:

• Add None to -CertStore ValidateSet and make it the default, which means CertStore is not used in this case
• Ignore -CertStore, in case -CertPath is set

The last one seems to me a good solution, but I'm open for other ideas.

[lazyfrosch]

Then the plugin would need to handle None, it would be a good idea to also remove the default value, and maybe set $CertStore = '*', when $CertStore and $CertPath are both not set.

[LordHepipud]

The default values for certain plugins were introduced to automatically have the proper configuration for Icinga for Windows in .conf and Director basket files.

Either way it doesn't make a huge difference if the plugin has to handle None, if no value is set or we ignore -CertStore in case -CertPath is set.

All solutions require a simple and small logic to handle it.

[Backtrack89]

Hello All,
i got the following issue on this check.:

if i try it manual it Works fine

[lazyfrosch]

@Backtrack89 not related to this issue and likely a problem that the Icinga 2 CheckCommand is not synced to the agent, e.g. via a global zone.