ssl-cert-check
ssl-cert-check copied to clipboard
Matty9191
ERROR: The file named /var/tmp/cert.zgIe9J is unreadable
when using domainlist file, got an error:
ERROR: The file named /var/tmp/cert.zgIe9J is unreadable or doesn't exist ERROR: Please check to make sure the certificate for xxxxxxxxxx.com:443 is valid
Hey @jimisan. Which domain are you running ssl-cert-check against? Can you try the version I just uploaded? I incorporated a ton of fixes from Daniel Lewart.
Hi,
I am also experiencing this issue. I tested on various Linux installs without any issues. I only get this on FreeBSD.
FreeBSD 11.3-RELEASE-p5
What I notice is that the -c is ignored and it tries to do a lookup using the localhost name on port 443. The tmp file cert name is random.
# /root/server-fixes/ssl-cert-check -b -c /usr/local/etc/letsencrypt/live/example.com/cert1.pem
ERROR: The file named /var/tmp/cert.RqubS3 is unreadable or doesn't exist
ERROR: Please check to make sure the certificate for **local host name**:443 is valid
If you have any ideas I can troubleshoot for you. Not sure why the code would want to create a tmp file though.
Here is the output of bash -x
root@server1:~/server-fixes # bash -x ./ssl-cert-check -b -c /etc/certs/example.com.crt
+ PROGRAMVERSION=4.12
+ trap cleanup EXIT INT TERM QUIT
+ PATH=/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/local/ssl/bin:/usr/sfw/bin
+ export PATH
+ ADMIN=root
+ SENDER=
+ WARNDAYS=30
+ QUIET=FALSE
+ ALARM=FALSE
+ NAGIOS=FALSE
+ NAGIOSSUMMARY=FALSE
+ PKCSDBPASSWD=
+ CERTTYPE=pem
++ command -v awk
+ AWK=/usr/bin/awk
++ command -v date
+ DATE=/bin/date
++ command -v grep
+ GREP=/usr/bin/grep
++ command -v openssl
+ OPENSSL=/usr/bin/openssl
++ command -v printf
+ PRINTF=printf
++ command -v sed
+ SED=/usr/bin/sed
++ command -v mktemp
+ MKTEMP=/usr/bin/mktemp
++ command -v find
+ FIND=/usr/bin/find
+ '[' -f /usr/bin/mailx ']'
+ MAIL=/usr/bin/mailx
+ MAILMODE=mailx
+ RETCODE=0
+ SUMMARY_VALID=0
+ SUMMARY_WILL_EXPIRE=0
+ SUMMARY_EXPIRED=0
+ SUMMARY_MIN_DIFF=0
+ SUMMARY_MIN_DATE=
+ SUMMARY_MIN_HOST=
+ SUMMARY_MIN_PORT=
+ umask 077
+ getopts abc:d:e:E:f:hik:nNp:qs:St:Vx: option
+ case "${option}" in
+ NOHEADER=TRUE
+ getopts abc:d:e:E:f:hik:nNp:qs:St:Vx: option
+ case "${option}" in
+ CERTFILE=/etc/certs/example.com.crt
+ getopts abc:d:e:E:f:hik:nNp:qs:St:Vx: option
+ '[' '!' -f /usr/bin/openssl ']'
+ '[' '!' -f /bin/date ']'
+ '[' '!' -f /usr/bin/grep ']'
+ '[' '!' -f /usr/bin/find ']'
+ '[' '!' -f /usr/bin/mktemp ']'
+ '[' -z printf ']'
+ '[' '!' -f /usr/bin/sed ']'
+ '[' '!' -f /usr/bin/awk ']'
+ '[' FALSE = TRUE ']'
+ /usr/bin/openssl s_client -help
+ grep -servername
+ TLSSERVERNAME=TRUE
++ /usr/bin/mktemp /var/tmp/cert.XXXXXX
+ CERT_TMP=/var/tmp/cert.wYFxwZ
++ /usr/bin/mktemp /var/tmp/error.XXXXXX
+ ERROR_TMP=/var/tmp/error.DYA35M
++ /bin/date +%m
+ MONTH=01
++ /bin/date +%d
+ DAY=23
++ /bin/date +%Y
+ YEAR=2020
++ date2julian 1 23 2020
++ '[' 1 '!=' '' ']'
++ '[' 23 '!=' '' ']'
++ '[' 2020 '!=' '' ']'
++ d2j_tmpmonth=24238
++ d2j_tmpyear=2019
++ echo 2458872
+ NOWJULIAN=2458872
+ '[' -n /var/tmp/cert.wYFxwZ ']'
+ '[' -n /var/tmp/error.DYA35M ']'
+ touch /var/tmp/cert.wYFxwZ /var/tmp/error.DYA35M
+ '[' server1.test.lan '!=' '' ']'
+ print_heading
+ '[' TRUE '!=' TRUE ']'
+ check_server_status server1.test.lan 443
+ PORT=443
+ case "$PORT" in
+ TLSFLAG=
+ '[' TRUE = FALSE ']'
+ OPTIONS='-connect server1.test.lan:443 -servername server1.test.lan '
+ echo ''
+ /usr/bin/openssl s_client -connect server1.test.lan:443 -servername server1.test.lan
+ /usr/bin/grep -i 'Connection refused' /var/tmp/error.DYA35M
+ /usr/bin/grep -i 'No route to host' /var/tmp/error.DYA35M
+ /usr/bin/grep -i 'gethostbyname failure' /var/tmp/error.DYA35M
+ /usr/bin/grep -i 'Operation timed out' /var/tmp/error.DYA35M
+ /usr/bin/grep -i 'ssl handshake failure' /var/tmp/error.DYA35M
+ /usr/bin/grep -i 'connect: Connection timed out' /var/tmp/error.DYA35M
+ /usr/bin/grep -i 'Name or service not known' /var/tmp/error.DYA35M
+ check_file_status /var/tmp/cert.wYFxwZ server1.test.lan 443
+ CERTFILE=/var/tmp/cert.wYFxwZ
+ HOST=server1.test.lan
+ PORT=443
+ '[' '!' -r /var/tmp/cert.wYFxwZ ']'
+ '[' '!' -s /var/tmp/cert.wYFxwZ ']'
+ echo 'ERROR: The file named /var/tmp/cert.wYFxwZ is unreadable or doesn'\''t exist'
ERROR: The file named /var/tmp/cert.wYFxwZ is unreadable or doesn't exist
+ echo 'ERROR: Please check to make sure the certificate for server1.test.lan:443 is valid'
ERROR: Please check to make sure the certificate for server1.test.lan:443 is valid
+ set_returncode 3
+ '[' 0 -lt 3 ']'
+ RETCODE=3
+ return
+ print_summary
+ '[' FALSE '!=' TRUE ']'
+ return
+ '[' FALSE = TRUE ']'
+ exit 0
+ cleanup
+ '[' -f /var/tmp/cert.wYFxwZ ']'
+ rm -f /var/tmp/cert.wYFxwZ
+ '[' -f /var/tmp/error.DYA35M ']'
+ rm -f /var/tmp/error.DYA35M
Can you e-mail me a copy of the certificate? I will need that to debug further.
@Matty9191 It happens on any certificate I use on FreeBSD. You can have this expired cert. expired.txt
@Matty9191 , I think it comes from https://github.com/Matty9191/ssl-cert-check/blob/3c8177c4356db6db87593a1d18565bbb8583e3d7/ssl-cert-check#L917
It should be something like
HOST=${LINE%%:*}
PORT=${LINE##*:}
If I look at the source, it looks like the char : has been dropped out from the patterns !?
@Matty9191 , I think it comes from
https://github.com/Matty9191/ssl-cert-check/blob/3c8177c4356db6db87593a1d18565bbb8583e3d7/ssl-cert-check#L917
It should be something like
HOST=${LINE%%:*} PORT=${LINE##*:}If I look at the source, it looks like the char
:has been dropped out from the patterns !?
@mhow2 Out of interest, why would that make a difference between bash on FreeBSD and bash on Centos 7?
@daniejstriata : you're right it might be a completely different issue, that only "looks like" this one. I'm sorry.
On my side, I spotted an issue with the '-x' option and the following output:
+ HOST=my.domain.ltd:443
+ PORT=my.domain.ltd:443
+ '[' '!' -r /var/tmp/cert.HkuUXi ']'
+ '[' '!' -s /var/tmp/cert.HkuUXi ']'
+ echo 'ERROR: The file named /var/tmp/cert.HkuUXi is unreadable or doesn'\''t exist'
ERROR: The file named /var/tmp/cert.HkuUXi is unreadable or doesn't exist
+ echo 'ERROR: Please check to make sure the certificate for my.domain.ltd:443:my.domain.ltd:443 is valid'
ERROR: Please check to make sure the certificate for my.domain.ltd:443:my.domain.ltd:443 is valid
which is obviously wrong.
@mhow2 Are you checking a domain or a cert file? I've just done test using -s and -c and I'm not seeing the HOST and PORT value being duplicated on my Centos 7 or FreeBSD instance because I'm still using version 4.12. I see what you picked up was added into 4.13. @Matty9191 What I have noticed on FreeBSD is that the certfile is never checked. On FreeBSD the -c fails and it seems to run a -s test as I see "openssl s_client -connect server1.test.lan:443 -servername server1.test.lan" in the output. When I checkout the same test on Linux to a cert file or to a domain I can see that -c and -s work as expected. I believe the difference is in how FreeBSD and Linux differ with their versions of tools like sed.
@daniejstriata : indeed I have not specified that I'm using a domain, like in #81. It happens in v4.13, ie the version that I have just cloned from master branch.
In my specific case, the reason for this error is the output tmp file is empty, because the hostname/port is wrong. This is why my fix works. It's a totally different issue than yours. In order not to pollute this issue again, I have opened #81
Hi
I still get errors on FreeBSD. It ignores -c and -d flags.
Host Status Expires Days
ERROR: The file named /var/tmp/cert.YC4KMm is unreadable or doesn't exist ERROR: Please check to make sure the certificate for hostname:443 is valid
Hi @Matty9191, When I use ssl-cert-check -f file1 also got the similar error, but I found a solution to resolve this issue.
First modify ssl-cert-check file, around line 920(the newest version) HOST=${LINE%%:*} PORT=${LINE##*:} missing two ":"
I think it's was a text format issue triggered this error, so cat file1 copy all the text information vi file2 paste the text.
Don't use cat file1>file2 , it's invalid.
ssl-cert-check -f file2//it's working
Wish can help the others
