check-cert icon indicating copy to clipboard operation
check-cert copied to clipboard
verified publisher icon atc0005

Advice to build plugin using Go 1.16 is no longer viable

Open atc0005 opened this issue 1 year ago • 0 comments

While troubleshooting some service checks I was setting up for some older hosts I found that the certificates were missing SANs entries.

The following output is from lscert using a development snapshot of the code (but likely matches stable releases):

This certificate does not contain Subject Alternate Names (SANs) and should be replaced.

As a temporary workaround you can:

  1. set the GODEBUG environment variable to 'GODEBUG=x509ignoreCN=0' AND either deploy v0.5.3 of this plugin or rebuild this plugin using Go 1.16
  2. specify the 'ignore-hostname-verification-if-empty-sans' flag to skip hostname verification if the SANs list is found to be empty

See these resources for additional information:

  • https://github.com/atc0005/check-cert/issues/276
  • https://chromestatus.com/feature/4981025180483584
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1245280

Here is an example of building the plugin using the last Go 1.16 Docker image: docker container run -it --rm -v $PWD:$PWD -w $PWD golang:1.16 go build ./cmd/check_cert/

Attempting to actually do so fails due to a vendored dependency:

$ podman container run -it --rm -v $PWD:$PWD -w $PWD golang:1.16 go build ./cmd/check_cert/
Resolving "golang" using unqualified-search registries (/etc/containers/registries.conf)
Trying to pull docker.io/library/golang:1.16...
Getting image source signatures
Copying blob e4d61adff207 done
Copying blob ff5b10aec998 done
Copying blob 12de8c754e45 done
Copying blob 8c86ff77a317 done
Copying blob 4ff1945c672b done
Copying blob 0395a1c478ba done
Copying blob 245345d44ed8 done
Copying config 972d8c0bc0 done
Writing manifest to image destination
Storing signatures
vendor/github.com/mattn/go-isatty/isatty_tcgets.go:8:8: //go:build comment without // +build comment

Attempting to use -mod=mod or similar doesn't work either.

$ podman container run -it --rm -v $PWD:$PWD -w $PWD golang:1.16 go build -mod=mod ./cmd/check_cert/
go: downloading github.com/atc0005/cert-payload v0.7.1
go: downloading github.com/rs/zerolog v1.33.0
go: downloading github.com/atc0005/go-nagios v0.19.0
go: downloading github.com/mattn/go-colorable v0.1.13
go: downloading github.com/mattn/go-isatty v0.0.20
go: downloading golang.org/x/sys v0.28.0
/go/pkg/mod/github.com/mattn/[email protected]/isatty_tcgets.go:8:8: //go:build comment without // +build comment

While it may be possible to update the directions to walk the sysadmin through checking out a specific tag with dependencies known to successfully compile with Go 1.16, it's probably not really a viable workaround.

Instead, we should remove all mention of building with Go 1.16.

atc0005 avatar Dec 19 '24 21:12 atc0005