check-tls-certs icon indicating copy to clipboard operation
check-tls-certs copied to clipboard
verified publisher icon fschulze

More alternate names than specified/The requested domain doesn't match the certificate domain

Open IgalSc opened this issue 1 year ago • 1 comments

HI there We are using wildcard domains, but the check started failing domain1.tv, www.domain1.tv Issued by: Amazon RSA 2048 M03 Valid until 2025-01-31 23:59:59 (224 days, 2:21:00). More alternate names than specified *.domain1.tv. content-api.domain2.mobi Validation error '[10, 1, 'certificate has expired']'. Issued by: E1 Valid until 2024-08-11 00:28:33 (50 days, 2:50:00). Alternate names in certificate: domain2.mobi, *.domain2.mobi The requested domain content-api.domain2.mobi doesn't match the certificate domain domain2.mobi. 2 error(s), 1 warning(s)

If I do check_tls_certs *.domain1.tv Traceback (most recent call last): File "/usr/local/bin/check_tls_certs", line 11, in sys.exit(main()) File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 764, in call return self.main(*args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 717, in main rv = self.invoke(ctx) File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 956, in invoke return ctx.invoke(self.callback, **ctx.params) File "/usr/local/lib/python3.6/dist-packages/click/core.py", line 555, in invoke return callback(*args, **kwargs) File "/usr/local/lib/python3.6/dist-packages/check_tls_certs.py", line 284, in main domain_certs = get_domain_certs(domains) File "/usr/local/lib/python3.6/dist-packages/check_tls_certs.py", line 97, in get_domain_certs return dict(x.result() for x in done) File "/usr/local/lib/python3.6/dist-packages/check_tls_certs.py", line 97, in return dict(x.result() for x in done) File "/usr/lib/python3.6/concurrent/futures/thread.py", line 56, in run result = self.fn(*self.args, **self.kwargs) File "/usr/local/lib/python3.6/dist-packages/check_tls_certs.py", line 78, in get_cert_from_domain data = _get_cert_from_domain(domain) File "/usr/local/lib/python3.6/dist-packages/check_tls_certs.py", line 64, in _get_cert_from_domain sock.connect((domain.connection_host, domain.port)) File "/usr/local/lib/python3.6/dist-packages/OpenSSL/SSL.py", line 1965, in connect return self._socket.connect(addr) socket.gaierror: [Errno -2] Name or service not known

how do i use it with SAN and wildcard?

IgalSc avatar Jun 21 '24 21:06 IgalSc

Currently wildcard certificates aren't supported. It shouldn't be too hard to add, but I currently don't have time for it. I personally use it with Let's Encrypt only. I'm not sure whether they have wildcard support by now so I could test it. You could send me your actual domains privately via email, so I could test it when I get to it.

fschulze avatar Jun 25 '24 12:06 fschulze

Thank you Letsencrypt support wildcard domains as well But let me send you couple domains we check privately

IgalSc avatar Jul 17 '24 19:07 IgalSc

Could you test my latest push? The problem was, that the wildcard domain was in the list of alternate names and not the common name of the certificate. This is now supported.

fschulze avatar Jul 18 '24 07:07 fschulze