Hi, i’ve tried the new certificate check to migrate from “Check HTTP Service”. So far, everything works, but with unknown issuer i cannot get rid of the warning status. I will only check the when the cerificate expires. It doesn’t help to activate the “Allow self-signed certificates” option. That wasn’t a problem with the old check.
Is there an option to ignore this? If not, i can only stay with the old check at the moment.
the old check was simply ignoring any certificate error (except for the lifetime). As the new certificate check is intended to just fetch the certificate and validate it, we agree that there is no need to enforce a valid chain as we do for the new HTTP check. On the other hand, the option “Allow self-signed certificates” is exactly doing that and nothing more. Thanks to openssl it is possible to have this granularity. Only “X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT” is ignored.
As we understand the limitation of that, we will discuss if we want to enhance the option to also ignore “X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN” and potentially also “X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY”.
Meanwhile: To mitigate the problem, you add the missing issuer certificate to the cert store in Checkmk (Setup > Global settings > Site management > Trusted certificate authorities for SSL).
For me importing the root ca (or self singed cert) to /usr/local/share/ca-certificates/ and then update-ca-certificates does the trick, with one hang.
It’ll only work if the check “allow self-signed certificates” is unchecked. Otherwise leaving this option checked always generate an error, but once the cert or ca is imported, it’s valid for the server.
Don’t forget to restart the check mk site after importing…
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.