fix(inputs.x509): Multiple sources with non-overlapping DNS entries. (#…

…11613)
influxdata · Aug 5, 2022 · 7bd9c91 · 7bd9c91
1 parent 091380f
commit 7bd9c91
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 12 deletions.
diff --git a/plugins/inputs/x509_cert/x509_cert.go b/plugins/inputs/x509_cert/x509_cert.go
@@ -1,5 +1,6 @@
-//go:generate ../../../tools/readme_config_includer/generator
 // Package x509_cert reports metrics from an SSL certificate.
+//
+//go:generate ../../../tools/readme_config_includer/generator
 package x509_cert
 
 import (
@@ -28,6 +29,7 @@ import (
 )
 
 // DO NOT REMOVE THE NEXT TWO LINES! This is required to embed the sampleConfig data.
+//
 //go:embed sample.conf
 var sampleConfig string
 
@@ -143,14 +145,13 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 		if err != nil {
 			return nil, err
 		}
-		c.tlsCfg.ServerName = serverName
 
-		c.tlsCfg.InsecureSkipVerify = true
-		conn := tls.Client(ipConn, c.tlsCfg)
-		defer conn.Close()
+		downloadTLSCfg := c.tlsCfg.Clone()
+		downloadTLSCfg.ServerName = serverName
+		downloadTLSCfg.InsecureSkipVerify = true
 
-		// reset SNI between requests
-		defer func() { c.tlsCfg.ServerName = "" }()
+		conn := tls.Client(ipConn, downloadTLSCfg)
+		defer conn.Close()
 
 		hsErr := conn.Handshake()
 		if hsErr != nil {
@@ -196,15 +197,17 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 		if err != nil {
 			return nil, err
 		}
-		c.tlsCfg.ServerName = serverName
-		c.tlsCfg.InsecureSkipVerify = true
+
+		downloadTLSCfg := c.tlsCfg.Clone()
+		downloadTLSCfg.ServerName = serverName
+		downloadTLSCfg.InsecureSkipVerify = true
 
 		smtpConn, err := smtp.NewClient(ipConn, u.Host)
 		if err != nil {
 			return nil, err
 		}
 
-		err = smtpConn.Hello(c.tlsCfg.ServerName)
+		err = smtpConn.Hello(downloadTLSCfg.ServerName)
 		if err != nil {
 			return nil, err
 		}
@@ -221,7 +224,7 @@ func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certifica
 			return nil, fmt.Errorf("did not get 220 after STARTTLS: %s", err.Error())
 		}
 
-		tlsConn := tls.Client(ipConn, c.tlsCfg)
+		tlsConn := tls.Client(ipConn, downloadTLSCfg)
 		defer tlsConn.Close()
 
 		hsErr := tlsConn.Handshake()
@@ -363,6 +366,15 @@ func (c *X509Cert) Gather(acc telegraf.Accumulator) error {
 				tags["verification"] = "valid"
 				fields["verification_code"] = 0
 			} else {
+				c.Log.Debugf("Invalid certificate at index %2d!", i)
+				c.Log.Debugf("  cert DNS names:    %v", cert.DNSNames)
+				c.Log.Debugf("  cert IP addresses: %v", cert.IPAddresses)
+				c.Log.Debugf("  opts.DNSName:      %v", opts.DNSName)
+				c.Log.Debugf("  verify options:    %v", opts)
+				c.Log.Debugf("  verify error:      %v", err)
+				c.Log.Debugf("  location:          %v", location)
+				c.Log.Debugf("  tlsCfg.ServerName: %v", c.tlsCfg.ServerName)
+				c.Log.Debugf("  ServerName:        %v", c.ServerName)
 				tags["verification"] = "invalid"
 				fields["verification_code"] = 1
 				fields["verification_error"] = err.Error()

diff --git a/plugins/inputs/x509_cert/x509_cert_test.go b/plugins/inputs/x509_cert/x509_cert_test.go
@@ -103,6 +103,7 @@ func TestGatherRemoteIntegration(t *testing.T) {
 			sc := X509Cert{
 				Sources: []string{test.server},
 				Timeout: config.Duration(test.timeout),
+				Log:     testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())
 
@@ -165,6 +166,7 @@ func TestGatherLocal(t *testing.T) {
 
 			sc := X509Cert{
 				Sources: []string{f.Name()},
+				Log:     testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())
 
@@ -193,6 +195,7 @@ func TestTags(t *testing.T) {
 
 	sc := X509Cert{
 		Sources: []string{f.Name()},
+		Log:     testutil.Logger{},
 	}
 	require.NoError(t, sc.Init())
 
@@ -242,6 +245,7 @@ func TestGatherExcludeRootCerts(t *testing.T) {
 	sc := X509Cert{
 		Sources:          []string{f.Name()},
 		ExcludeRootCerts: true,
+		Log:              testutil.Logger{},
 	}
 	require.NoError(t, sc.Init())
 
@@ -277,6 +281,7 @@ func TestGatherChain(t *testing.T) {
 
 			sc := X509Cert{
 				Sources: []string{f.Name()},
+				Log:     testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())
 
@@ -365,8 +370,8 @@ func TestGatherCertMustNotTimeoutIntegration(t *testing.T) {
 	duration := time.Duration(15) * time.Second
 	m := &X509Cert{
 		Sources: []string{"https://www.influxdata.com:443"},
-		Log:     testutil.Logger{},
 		Timeout: config.Duration(duration),
+		Log:     testutil.Logger{},
 	}
 	require.NoError(t, m.Init())
 
@@ -379,6 +384,7 @@ func TestGatherCertMustNotTimeoutIntegration(t *testing.T) {
 func TestSourcesToURLs(t *testing.T) {
 	m := &X509Cert{
 		Sources: []string{"https://www.influxdata.com:443", "tcp://influxdata.com:443", "smtp://influxdata.com:25", "file:///dummy_test_path_file.pem", "/tmp/dummy_test_path_glob*.pem"},
+		Log:     testutil.Logger{},
 	}
 	require.NoError(t, m.Init())
 
@@ -407,6 +413,7 @@ func TestServerName(t *testing.T) {
 			sc := &X509Cert{
 				ServerName:   test.fromCfg,
 				ClientConfig: _tls.ClientConfig{ServerName: test.fromTLS},
+				Log:          testutil.Logger{},
 			}
 			require.NoError(t, sc.Init())
 			u, err := url.Parse(test.url)