Merge branch '416-handling-of-one-valid-and-one-expired-certificate-f…

…or-the-same-scope'
matteocorti · Oct 6, 2022 · 5cbea21 · 5cbea21
2 parents 546b0d7 + c95aae3
commit 5cbea21
Show file tree

Hide file tree

Showing 9 changed files with 55 additions and 37 deletions.
diff --git a/CITATION.cff b/CITATION.cff
@@ -236,7 +236,7 @@ authors:
   given-names: "Дилян"
   website: https://github.com/dilyanpalauzov
 title: "check_ssl_cert"
-version: 2.50.0
+version: 2.51.0
 date-released: 2022-10-06
 url: "https://github.com/matteocorti/check_ssl_cert"
 repository-code: "https://github.com/matteocorti/check_ssl_cert"

diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 2022-10-06  Matteo Corti  <[email protected]>
 
         * check_ssl_cert: additional chain checks (no root attributes and handling of double certificates
+        * check_ssl_cert (check_attr): fixed a bug in the chain checks
 
 2022-09-27  Matteo Corti  <[email protected]>
 

diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,5 @@
+* 2022-10-06 Version 2.51.0
+  * Fixed a bug in the chain checks
 * 2022-10-06 Version 2.50.0
   * Additional checks for the certificate chain (see ```--check-chain```)
 * 2022-09-27 Version 2.49.0

diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1 +1 @@
-Additional checks for the certificate chain (see ```--check-chain```)
+Fixed a bug in the chain checks
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-2.50.0
+2.51.0
diff --git a/check_ssl_cert b/check_ssl_cert
@@ -28,7 +28,7 @@
 ################################################################################
 # Constants
 
-VERSION=2.50.0
+VERSION=2.51.0
 SHORTNAME="SSL_CERT"
 
 VALID_ATTRIBUTES=",startdate,enddate,subject,issuer,modulus,serial,hash,email,ocsp_uri,fingerprint,"
@@ -2213,6 +2213,7 @@ check_cert_end_date() {
                 DAYS_AGO="$((-ELEM_DAYS_VALID)) days ago"
             fi
             debuglog "CRITICAL: certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
+            echo XX 100
             CN_EXPIRED_TMP="${element_cn}:${replace_current_message}:${OPENSSL_COMMAND} certificate element ${el_number} (${element_cn}) is expired (was valid until ${ELEM_END_DATE}, ${DAYS_AGO})"
             if [ -z "${CN_EXPIRED_CRITICAL}" ] ; then
                 CN_EXPIRED_CRITICAL="${CN_EXPIRED_TMP}"
@@ -5940,46 +5941,50 @@ EOF
         # browsers usually do not complain (see #416)
 
         # loop over the criticals
-        while IFS= read -r critical ; do
-
-            CN_TMP=$( echo "${critical}" | sed 's/:.*//' )
-            REPLACE_CURRENT_MESSAGE=$( echo "${critical}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
-            MESSAGE_TMP=$( echo "${critical}" | sed 's/^[^:]*:[^:]*://' )
-
-            # check if the warning is overridden by another certificate for the same CN
-            if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
-                verboselog "Both a valid and an expired certificate were found"
-                if [ -n "${CHECK_CHAIN}" ] ; then
-                    prepend_critical_message "Both a valid and an expired certificate were found"
+        if [ -n "${CN_EXPIRED_CRITICAL}" ] ; then
+            while IFS= read -r critical ; do
+
+                CN_TMP=$( echo "${critical}" | sed 's/:.*//' )
+                REPLACE_CURRENT_MESSAGE=$( echo "${critical}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
+                MESSAGE_TMP=$( echo "${critical}" | sed 's/^[^:]*:[^:]*://' )
+
+                # check if the warning is overridden by another certificate for the same CN
+                if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
+                    verboselog "Both a valid and an expired certificate were found"
+                    if [ -n "${CHECK_CHAIN}" ] ; then
+                        prepend_critical_message "Both a valid and an expired certificate were found"
+                    fi
+                else
+                    prepend_critical_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}"
                 fi
-            else
-                prepend_critical_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}"
-            fi
 
-        done <<INPUT
+            done <<INPUT
 ${CN_EXPIRED_CRITICAL}
 INPUT
+        fi
 
         # loop over the warnings
-        while IFS= read -r warning ; do
-
-            CN_TMP=$( echo "${warning}" | sed 's/:.*//' )
-            REPLACE_CURRENT_MESSAGE=$( echo "${warning}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
-            MESSAGE_TMP=$( echo "${warning}" | sed 's/^[^:]*:[^:]*://' )
-
-            # check if the warning is overridden by another certificate for the same CN
-            if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
-                verboselog "Both a valid and an expired certificate were found"
-                if [ -n "${CHECK_CHAIN}" ] ; then
-                    prepend_critical_message "Both a valid and an expired certificate were found"
+        if [ -n "${CN_EXPIRED_WARNING}" ] ; then
+            while IFS= read -r warning ; do
+
+                CN_TMP=$( echo "${warning}" | sed 's/:.*//' )
+                REPLACE_CURRENT_MESSAGE=$( echo "${warning}" | sed -e 's/^[^:]*://' -e 's/:.*//' )
+                MESSAGE_TMP=$( echo "${warning}" | sed 's/^[^:]*:[^:]*://' )
+
+                # check if the warning is overridden by another certificate for the same CN
+                if echo "${CN_OK}" | grep -q "${CN_TMP}" ; then
+                    verboselog "Both a valid and an expired certificate were found"
+                    if [ -n "${CHECK_CHAIN}" ] ; then
+                        prepend_critical_message "Both a valid and an expired certificate were found"
+                    fi
+                else
+                    append_warning_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}"
                 fi
-            else
-                append_warning_message "${MESSAGE_TMP}" "${REPLACE_CURRENT_MESSAGE}"
-            fi
 
-        done <<INPUT
+            done <<INPUT
 ${CN_EXPIRED_WARNING}
 INPUT
+        fi
 
     fi
 

diff --git a/check_ssl_cert.1 b/check_ssl_cert.1
@@ -1,7 +1,7 @@
 .\" Process this file with
 .\" groff -man -Tascii check_ssl_cert.1
 .\"
-.TH "check_ssl_cert" 1 "October, 2022" "2.50.0" "USER COMMANDS"
+.TH "check_ssl_cert" 1 "October, 2022" "2.51.0" "USER COMMANDS"
 .SH NAME
 check_ssl_cert \- checks the validity of X.509 certificates
 .SH SYNOPSIS

diff --git a/check_ssl_cert.spec b/check_ssl_cert.spec
@@ -1,4 +1,4 @@
-%global version          2.50.0
+%global version          2.51.0
 %global release          0
 %global sourcename       check_ssl_cert
 %global packagename      nagios-plugins-check_ssl_cert
@@ -54,6 +54,9 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Thu Oct   6 2022 Matteo Corti <[email protected]> - 2.51.0-0
+- Updated to 2.51.0
+
 * Thu Oct   6 2022 Matteo Corti <[email protected]> - 2.50.0-0
 - Updated to 2.50.0
 

diff --git a/test/unit_tests.sh b/test/unit_tests.sh
@@ -1885,13 +1885,20 @@ testRootCertInChain() {
     assertEquals "wrong exit code" "${OK}" "${EXIT_CODE}"
 }
 
-testRootCertInChainEnforce() {
+testRootCertInChainEnforceFail() {
     # shellcheck disable=SC2086
     ${SCRIPT} ${TEST_DEBUG} -H matteo.ethz.ch --check-chain
     EXIT_CODE=$?
     assertEquals "wrong exit code" "${NAGIOS_CRITICAL}" "${EXIT_CODE}"
 }
 
+testRootCertInChainEnforceOK() {
+    # shellcheck disable=SC2086
+    ${SCRIPT} ${TEST_DEBUG} --host www.github.com --check-chain
+    EXIT_CODE=$?
+    assertEquals "wrong exit code" "${NAGIOS_OK}" "${EXIT_CODE}"
+}
+
 testRootCertNotInChainGitHub() {
     # shellcheck disable=SC2086
     ${SCRIPT} ${TEST_DEBUG} -H github.com --verbose | grep -q 'The root certificate is unnecessarily present in the delivered certificate chain'
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		Additional checks for the certificate chain (see ```--check-chain```)
		Fixed a bug in the chain checks