I am dealing with the same problem.
The device/host is sending a full chain, and then the full chain is evaluated.
I already mentioned it in another thread,when you are only checking validity a/the chain itself in essence should not matter (in most cases you are only interested in the leaf-certificate’s validity), unfortunately this discussion sort-of died while being hammered away about importing CA’s while this is not an option, (as i am not in control of those CA’s, meaning if outside my influence a CA is replaced it will break the check) for me….without any satisfactory solution.
So IMHO to put it into a logical breakdown as to how check_cert should report:
- if a certificate-chain is sent, and ticked Allow self-signed it should ignore the whole chain validation.
- ONLY Report / warn/crit if a certificate in the sent chain is hitting the thresholds defined for validity.
Glowsome