CODEWITHSUNDEEP
sslopensslssl-certificatenagios
Max
Max

Reputation: 522

Nagios check_ssl_cert error: SSL_CERT CRITICAL: Error: verify depth is 6

I am setting up a Nagios/Icinga Monitoring system to monitor my enviroment. I would like to monitor my SSL certs with check_ssl_cert by it is not working on all sites.

My command: 

/usr/lib/nagios/plugins/check_ssl_cert -c 7 -w 28 -H 141.85.37.43 -r /etc/ssl/certs/

returns:SSL_CERT CRITICAL: Error: verify depth is 6

(141.85.37.43 is just an example adress, not my own, but makes the same mistake).

if i try 

# openssl s_client -connect ftp.myDomain.de:443
CONNECTED(00000003)
140037719324328:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal     error:s23_clnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 320 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

or 

# curl https://ftp.myDomain.de:443 -v
* About to connect() to ftp.myDomain.de port 443 (#0)
*   Trying 212.xxx.xxx.xxx...
* connected
* Connected to ftp.myDomain.de (212.xxx.xxx.xxx) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
* Closing connection #0
curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

I am using a crushFTP on a ubuntu system called ftp.myDomain.de. I can use it with https://ftp.myDomain.de without any problem. The cert is installed as a .pem file and was validated vom Thawte.

Is there something wrong with my cert?

Upvotes: 1

Views: 14674

Answers (4)

NWT
NWT

Reputation: 11

I came across this same problem on a new Nagios box and tried the latest version of check_ssl_cert without success.

In the end the solution was to install expect.

Upvotes: 1

Max
Max

Reputation: 522

I got in contact with the developer behind check_ssl_cert and he optimized and implemented my solution in an updated version.

https://trac.id.ethz.ch/projects/nagios_plugins/wiki/check_ssl_cert

Upvotes: 2

Max
Max

Reputation: 522

I thing i got something. It is something with my SSL-Certs. I need to check with ssl version 3to get a working result.

Icinga plugins # openssl s_client -connect ftp.myDomain.de:443 -ssl3

i modified check_ssl_cert and added a new param -ssl to define version, just like the check-http offered:

http://pastebin.com/f46YQFg3 (need to post it there, to long for stackoverflow.com)

and can check it with

Icinga plugins # /usr/lib/nagios/plugins/check_ssl_cert -c 7 -w 28 -H "ftp.myDomain.de" -r "/etc/ssl/certs/" --ssl 3
SSL_CERT OK - X.509 certificate for 'ftp.myDomain.de' from 'Thawte DV SSL CA' valid until Jun  5 23:59:59 2015 GMT (expires in 676 days)|days=676;28;7;;

so my problem is kind of solved but i need to figure out what is the difference to my old - no workaround needed - certs and if i am in need to change something there?

Upvotes: 3

Steve Shipway
Steve Shipway

Reputation: 4037

I cannot say for certain, as I do not have all the necessary details, but it would seem that your certificate is fine, it is just that it's authentication chain is too long for check_ssl_cert to verify it.

The error message says "Verify depth is 6". This means that the certificate verify chain is >6 items long, not that it is necessarily failing.

Around line 228 and 205 in check_ssl_cert, you see the code:

exec_with_timeout $TIMEOUT "echo 'Q' | $OPENSSL s_client ${CLIENT} ${CLIENTPASS} -connect $HOST:$PORT ${SERVERNAME} -verify 6 ${ROOT_CA} 2> ${ERROR} 1> ${CERT}"

Note the -verify 6 in there limiting the maximum chain length to test. If you change this to -verify 16 (which might be overkill but should handle your chain) it will most likely work.

Upvotes: 0

Related Questions