go-check-plugins
go-check-plugins copied to clipboard
ssl-cert fails when server is configured for client auth
When the server expects the client to provide a certificate, the check for ssl-cert
fails:
mackerel-check ssl-cert -H <server-with-client-auth-enabled>
SSL CRITICAL: remote error: tls: bad certificate
In order to check a server certificate (which is what this binary is intended for), it is not required to complete a full tls handshake. Doing a tcpdump reveals that th server cert is presented to the client during the Server Hello
message of the handshake. This check should be modified to work in this situation.
Another way that this issue can be resolved, is if ssl-cert
allows for client cert and key to be passed in. This will allow the handshake to be completed successfully, so an err wont be thrown by the standard library during this line:
# https://github.com/mackerelio/go-check-plugins/blob/master/check-ssl-cert/lib/check-ssl-cert.go#L67
conn, err := tls.Dial("tcp", addr, &tls.Config{})
Another option: To add -skip-verify option to check-ssl-cert.
[memo] #403 may fix this.
@lufia I do not belive that either of your suggestions would work:
- the go standard lib will fail tls handshake regardless of skipping CA verification, as a client cert is being requested which it does not have
- #403 these options to add client cert and key would work, but i cannot use check-http because the service I'm checking is not http based. However, I feel that it would be best NOT to required client certificate, because the point of this check is to verify certificate expiry, not to validate that mutual TLS works.
I understand this issue. I'll try to fix this later.