Bug: cert plugin: "allow self-signed certificates" doesn't work

mbunkus · May 10, 2024, 8:30am

CMK version: 2.3.0p1.cee
OS version: Ubuntu 22.04

The new certificate plugin doesn’t always seem to handle the option “allow self-signed certificates” correctly. I have it activated, but it still complains about them in the checks:

The rule:

and the service:

To be clear, this is a CA generated by the monitored machine itself, it’s as self-signed as it gets. But that’s OK for me, I only want to know when certificates expire. As this happens in a lot of cases where a service/appliance might create its own CA, I don’t want to have to add all those custom CAs to CheckMK itself; I just want to ignore whether or not they can be verified.

With the deprecated check_http this wasn’t an issue.

wocket · May 10, 2024, 3:42pm

While this MIGHT not be the source of the issue here, I believe the certificate provisioned on Proxmox is NOT self-signed. It is signed by a snake-oil (self-signed) CA. See below. You might try changing the Proxmox config to include the CA cert (/etc/pve/pve-root-ca.pem) in the chain presented by the webserver.

mbunkus · May 10, 2024, 3:59pm

Dang, you’re right. I hadn’t looked at the message properly even though it’s clear that it isn’t “self-signed certificate in chain”. I had been dealing with some other issues with the cert plugin simultanously, some of then “self-signed cert in chain”, and therefore I probably just did a quick screenshot without looking at it too closely.

Having said that, what I said at the end still applies: I want to check for those certificates’ lifetime without having to add all custom CAs to CheckMK. Basically an option “accept unknown issuer” or something similar. Otherwise the new plugin won’t really help me, unfortunately.

peterge · September 18, 2024, 1:52pm

I guess I have the same problem, this is the check cert rule in cmk:

but this warning is showing anyway:

Have you found a solution to this?

andreas-doehler · September 18, 2024, 5:30pm

The problem is not the certificate itself but that you use your own enterprise CA and the certificate of this CA is not known to the checkmk site.

peterge · September 19, 2024, 5:26am

I added the ca files like this, but the check is still showing as warning.

root@checkmk:/usr/local/share/ca-certificates# ls
gitlab-misoft-local-chain.crt  gitlab-misoft-local.crt
root@checkmk:/usr/local/share/ca-certificates#  update-ca-certificates
Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@checkmk:/usr/local/share/ca-certificates# ls /etc/ssl/certs | grep misoft
gitlab-misoft-local-chain.pem
gitlab-misoft-local.pem
root@checkmk:/usr/local/share/ca-certificates# ls
gitlab-misoft-local-chain.crt  gitlab-misoft-local.crt

curl works fine without displaying a warning:

root@checkmk:/usr/local/share/ca-certificates# curl -s https://gitlab.misoft.local/users/sign_in | head
<!DOCTYPE html>
<html class="html-devise-layout gl-light" lang="en">
<head prefix="og: http://ogp.me/ns#">
<meta charset="utf-8">
<meta content="IE=edge" http-equiv="X-UA-Compatible">
<meta content="width=device-width, initial-scale=1" name="viewport">
<title>Sign in · GitLab</title>
<script>
//<![CDATA[
window.gon={};

peterge · September 19, 2024, 6:30am

Nevermind, it became OK just 5 min ago. Maybe there was something cached?

system · September 19, 2025, 6:31am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.