[apps::protocols::x509::plugin] certificate monitoring impossible because of user certificate

[ant0nwax]

Hi Quentin

There is a certificate monitor included in centreon (x509)

So i tried now half a day to solve this and finally found the issue with debugging using s_client

centreon shows this: (it is working with other certificates)

/usr/bin/perl /usr/lib64/nagios/centreon-plugins/centreon_plugins.pl --plugin apps::protocols::x509::plugin --mode validity --validity-mode expiration --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" --critical-date '30:' --warning-date '60:' --hostname hostname.tld --port 443
CRITICAL: failed to accept or ssl handshake: ,IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0) |

s_client shows this:

openssl s_client -tls1 -connect 'hostname.tld:443' -showcerts
CONNECTED(00000003)
depth=1 C = CC, L = CITY-EXAMPLE, O = ORG-EXAMPLE, CN = CA-EXAMPLE
verify error:num=19:self signed certificate in certificate chain
verify return:0
139961056823112:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:**SSL alert number 40**
139961056823112:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
Certificate chain
(...)

Note as well the line

SSL alert number 40

That indicates the server won't accept the connection because no user certificate was presented (complete the command line).

You can use OpenSSL to check a user certificate is presented to a server that need it. You then have to specify the user certificate and the private ke with the -cert et -key parameters.

so in this case the --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" is not usable, do you have any idea how we could get this certificate monitored? I searched already one hour in the net, and did not really find software for simulating a user certificate, maybe it would not be needed if you could tweak the code?

Thanks a lot and have a great day

[ant0nwax]

A suggestion for monitoring certificate expiry in bash

command used: bc, date, echo, openssl, sed

echo "("$(date +%s -d "`echo | openssl s_client -connect [hostname.tld]:[port] 2>/dev/null | openssl x509 -noout -enddate | sed 's/.*notAfter=\(.*\)$/\1/g'`")"-"$(date +%s)")/86400" | bc

[cgagnaire]

Hi @ant0nwax,
What's your OS, Net-SSLeay and IO-Socket-SSL versions ?
Thank you.

[ant0nwax]

Hi @cgagnaire

thanks for looking into this.

root@monitoringsrv ~ # cat /etc/centos-release
CentOS release 6.10 (Final)
root@monitoringsrv ~ # uname -a
Linux monitoringsrv.domain.tld 2.6.32-754.6.3.el6.x86_64 #1 SMP Tue Oct 9 17:27:49 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
root@monitoringsrv ~ # yum list installed | grep -i ssl
globus-gsi-openssl-error.x86_64 4.0-1.el6 @epel
globus-gsi-proxy-ssl.x86_64 6.0-1.el6 @epel
globus-openssl-module.x86_64 5.0-1.el6 @epel
mod_ssl.x86_64 1:2.2.15-69.el6.centos @base
nss_compat_ossl.x86_64 0.9.6-2.el6_7 @base
openssl.x86_64 1.0.1e-57.el6 @base
openssl-devel.x86_64 1.0.1e-57.el6 @base
openssl-perl.x86_64 1.0.1e-57.el6 @base
perl-Crypt-SSLeay.x86_64 0.57-17.el6 @base
perl-IO-Socket-SSL.noarch 1.31-3.el6_8.2 @base
perl-Net-SSLeay.x86_64 1.35-10.el6_8.1 @base
pyOpenSSL.x86_64 0.13.1-2.el6 @base
python-backports-ssl_match_hostname.noarch
xmlsec1-openssl.x86_64 1.2.20-4.el6 @base

Hope this helps you in order to understand... I could provide log files
machine was updated since the support request was raise, so actually I would need to
test this again... just i think centreon part was not updated... how can we find out that?

[garnier-quentin]

Do you have a website to test it ?

[ant0nwax]

I am back to that project only in July, I will update this message here, in july

[ant0nwax]

i found this https://stackoverflow.com/questions/38095559/https-test-server-that-checks-client-certificates and i could test in our environment if you send me an updated script Sent from my P9 tard-phone running Oreo. Random auto-corrects and typos are my special gift to you.

…

On Wed, Jun 19, 2019, 12:04 PM qgarnier ***@***.***> wrote: Do you have a website to test it ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1022?email_source=notifications&email_token=AH7N7TFR3MZPC3L3MVRWENLP3IADPA5CNFSM4FFXLJJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYBLXXI#issuecomment-503495645>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AH7N7TH4BV4LA7WLX4MSE2LP3IADPANCNFSM4FFXLJJA> .

[garnier-quentin]

I don't reproduce your errors with test website from the thread 'stackoverflow'.

[ant0nwax]

it is working yes, because the certificate you check is on https:// and the current script cannot check https:// /secure I assume ?

[ant0nwax]

cannot edit last post for unknown reason, so I post again:

root@magicaltestserver ~ # /usr/bin/perl /usr/lib64/nagios/centreon-plugins/centreon_plugins.pl --plugin apps::protocols::x509::plugin --mode validity --validity-mode expiration --ssl-opt="SSL_verify_mode=SSL_VERIFY_NONE" --critical-date '30:' --warning-date '60:' --hostname server.cryptomix.com/secure --port 443
CRITICAL: failed to accept or ssl handshake: Invalid argument,IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)

[garnier-quentin]

There is an issue with your hostname here:

--hostname='server.cryptomix.com'