I am trying to set up a certifcate monitoring with a self signed intermediate and root CA. I dont get it to run. Things I have treid:
Install the certs (Root und Intermediate CA) in ~/local/share/ca-certificates/
Install the certs (Root und Intermediate CA) in /usr/local/share/ca-certificates/
Install the certs (Root und Intermediate CA) in $OMD_ROOT/local/share/ca-certificates && echo ‘export SSL_CERT_DIR=$OMD_ROOT/local/share/ca-certificates’ >> etc/environment
The following command is working: ~/lib/nagios/plugins/check_cert --url noekis-pm.lknoe.at --ca-store ~/local/share/ca-certificates/ without warnung. However this command ~/lib/nagios/plugins/check_cert --url noekis-pm.lknoe.at raises
Verification: self-signed certificate in certificate chain (!)
As I do not find a default path for the certs for the check_cert plugin and there is no possibility to configure a path in the setting in the UI - can you please give me a hint?
Also, the checkbox “Allow self-signed certificates“ does not change anything → I think this is caused due to the intermediate self-signed cert.
I’m not 100% certain of the following, but: CheckMK includes a bundled SSL library that’s used by all the code run from CheckMK, be it Python or other executables. That bundled SSL library has its own place to look for CA certificates that is none of the usual system-wide locations. Therefore adding CA certificates to the usual system-wide locations won’t do you good.
Instead you have to configure the trusted CAs in the GUI: Setup → Global Settings → something with certificates. After doing that the CA bundle file actually used by the bundled SSL library is generated from that list in CheckMK’s GUI.
This bundled file also include the system own bundle file from respective system location.
The problem here is more that there is no option to force the regeneration of this internal bundle file after you updated your system bundle file.
Oh, good to know, thanks. I assumed wrongly CheckMK also bundled its own copy of Mozilla’s CA certificates list & didn’t source system-wide CAs at all.
The device/host is sending a full chain, and then the full chain is evaluated.
I already mentioned it in another thread,when you are only checking validity a/the chain itself in essence should not matter (in most cases you are only interested in the leaf-certificate’s validity), unfortunately this discussion sort-of died while being hammered away about importing CA’s while this is not an option, (as i am not in control of those CA’s, meaning if outside my influence a CA is replaced it will break the check) for me….without any satisfactory solution.
So IMHO to put it into a logical breakdown as to how check_cert should report:
if a certificate-chain is sent, and ticked Allow self-signed it should ignore the whole chain validation.
ONLY Report / warn/crit if a certificate in the sent chain is hitting the thresholds defined for validity.