Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

validing certs without hostname #88

Open
cablebender opened this issue Jun 25, 2020 · 4 comments
Open

validing certs without hostname #88

cablebender opened this issue Jun 25, 2020 · 4 comments

Comments

@cablebender
Copy link

cablebender commented Jun 25, 2020
edited
Loading

Hi,
my mailserver exim logs "SSL verify error: certificate name mismatch", but your script send me a valid-state. Is it possible that you not check the cert-DN with the hostname?
kindly regards
@kbabioch
Copy link

This is a very bad bug report. How do you expect someone to help you with so little information? Can you provide the certificate(s) and the exact command line that you're invoking?

I'm not an exim expert, but this log message could mean many things. Is it related to the certificate you're trying to monitor with ssl-cert-check?

@cablebender
Copy link
Author

Hi,
my script-version is 4.14
I have tested with the arguments "-s mx1.bund.de -p 25" and the answer was "mx1.bund.de:25 Valid Oct 9, 2020 106". But when i tested with https://www.checktls.com/TestReceiver the cert is not valid because its self signed. I have also tested with the arguments "-s mx01.schlund.de -p 25" and your scripts answers the cert is valid, but my log and checktls.com also says the cert is not valid because the hostname in the cert is not the servername.
Try it yourself! :-)

@kbabioch
Copy link

This script / project is about checking the expiry date of certificates, not about validating the certificate chain(s).

Except from the README:

SSL Certification Expiration Checker:

ssl-cert-check is a Bourne shell script that can be used to report on expiring SSL certificates. The script was designed to be run from cron and can e-mail warnings or log alerts through nagios.

The status column indicates whether the certificate is expiring or not. By default it will warn you, when there are only 30 days left or less:

./ssl-cert-check -s mx1.bund.de -p 25   

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
mx1.bund.de:25                                  Valid        Oct  9, 2020  105

This means that the certificate will expire in 105 days, as such the certificate is Valid. Invoking it with -x 200 will result in the status changing to Expiring.

./ssl-cert-check -s mx1.bund.de -p 25 -x 200

Host                                            Status       Expires      Days
----------------------------------------------- ------------ ------------ ----
mx1.bund.de:25                                  Expiring     Oct  9, 2020  105

If it is already expired, it will output Expired.

If you want to verify the validity / trust chain(s) of certificate, you can use openssl verify, etc.

@dairiki
Copy link

dairiki commented Nov 11, 2021

Perhaps view this as a feature request, rather than a bug report.

I, for one, think it would be good if ssl-cert-check verified that the server hostname matches the Subject Alternative Name in the server's certificate. People use ssl-cert-check to ensure that certificates are being properly renewed. Having the correct server name in the certificate is a crucial part of being "properly renewed".

PR #92 purports to do this, though I haven't looked at it enough to know if that's the correct solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dairiki @kbabioch @cablebender