icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard
verified publisher icon Icinga

`ssl_cert` check: defaulting `ssl_cert_cn` to `ssl_cert_altnames` doesn't work

Open jktr opened this issue 2 months ago • 0 comments

Describe the bug

In https://github.com/Icinga/icinga2/pull/9758, the ssl_cert check was modified to default ssl_cert_cn to ssl_cert_altnames for backwards compatibility. However, that doesn't work because ssl_cert_altnames is a boolean option and ssl_cert_cn expects a pattern. This results in --match true or --match false being passed to check_cert, which causes false negatives.

To Reproduce

Configure the ssl_cert check, with ssl_cert_altnames set but ssl_cert_cn not set. The inspect view on the service will show the incorrect --match being generated, and the check will fail with a false negative due to this..

Expected behavior

ssl_cert's ssl_cert_cn should not default to ssl_cert_altnames

Your Environment

Include as many relevant details about the environment you experienced the problem in

  • Version used (icinga2 --version): r2.15.1-1
  • Operating System and version: debian 12

Additional context

A workaround for this issue is avoiding the compatibility code by setting ssl_cert_cn explicitly.

I previously opened a PR for this at https://github.com/Icinga/icinga2/pull/10611 but could not proceed with it due to the Corporate CLA requirement.

jktr avatar Oct 22 '25 12:10 jktr