Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[inputs.x509_cert] Using wrong server name for verification #11623

Closed
srebhan opened this issue Aug 4, 2022 · 1 comment · Fixed by #11613
Closed

[inputs.x509_cert] Using wrong server name for verification #11623

srebhan opened this issue Aug 4, 2022 · 1 comment · Fixed by #11613
Assignees
@srebhan
Labels
bug unexpected problem or unintended behavior plugin/input 1. Request for new input plugins 2. Issues/PRs that are related to input plugins

Comments

@srebhan
Copy link
Member

srebhan commented Aug 4, 2022

Relevant telegraf.conf

# Reads metrics from a SSL certificate
  [[inputs.x509_cert]]
    ## List certificate sources
    sources = ["smtp://server-A.org:587", "smtp://server-B.org:25"]

Logs from Telegraf

No specific logs, only wrong output.

System info

Telegraf 1.23.2

Docker

No response

Steps to reproduce

Run Telegraf with the above config against two servers with non-overlapping DNS entries.

Expected behavior

Certificates are reported to be valid in the metrics (verification=valid) as they are valid.

Actual behavior

Instead of reporting the certificates valid, all certificates of the second source will be reported invalid similar to

> x509_cert,common_name=server-B.com,host=telegraf-7fdffb564-97r6k,issuer_common_name=Some\ Certificate\ Authority\ -\ G2,public_key_algorithm=RSA,san=server-B.org, www.server-B.org, sub.server-B.org,serial_number=e077f23dd76b209f,signature_algorithm=SHA256-RSA,source=smtp://server-B.org:25,verification=invalid age=14708051i,enddate=1679151227i,expiry=19592748i,startdate=1644850427i,verification_code=1i,verification_error="x509: certificate is valid for server-B.org, www.server-B.org, sub.server-B.org, not server-A.org" 1659558478000000000

It is important to note that the error message indicates that the certificate chain of server-B.org is checked against server-A.org or more generally speaking against the first of the sources enumerated.

Additional info

No response
@srebhan srebhan added the bug unexpected problem or unintended behavior label Aug 4, 2022
@srebhan srebhan self-assigned this Aug 4, 2022
@srebhan srebhan added the plugin/input 1. Request for new input plugins 2. Issues/PRs that are related to input plugins label Aug 4, 2022
@srebhan srebhan mentioned this issue Aug 4, 2022
Merged
3 tasks
@reimda
Copy link
Contributor

reimda commented Aug 4, 2022

Thanks for the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@srebhan srebhan

Labels
bug unexpected problem or unintended behavior plugin/input 1. Request for new input plugins 2. Issues/PRs that are related to input plugins
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(inputs.x509): Multiple sources with non-overlapping DNS entries. srebhan/telegraf
2 participants
@reimda @srebhan