Check fails (no CA certificates found) #2

Closed
opened 2021-03-07 12:02:24 +01:00 by Ghost · 3 comments

On a Debian host, check_xmppng yields wrong results when trying to check certificates.
Example:

$ ./check_xmppng -H xmpp.chapril.org --servername chapril.org --warn-days 15 --crit-days 8 --s2s
XMPP CRITICAL - request took unknownNone (no CA certificates found) | time=unknown

What's troubling me is that the same command works fine when run on an Archlinux host. So it is probably a bug in packaging python, either in Archlinux or in Debian.

But I think this problem can be solved in check_xmppng by removing these lines check_xmppng#L338-L345.

My understanding is that check_xmppng first tries to make sure that some CA certificates are present before performing the real check. But it cannot work. As stated in python's doc ssl.SSLContext.get_ca_certs, certificates in a capath directory aren’t loaded unless they have been used at least once.

What do you think?

On a Debian host, check_xmppng yields wrong results when trying to check certificates. Example: ``` $ ./check_xmppng -H xmpp.chapril.org --servername chapril.org --warn-days 15 --crit-days 8 --s2s XMPP CRITICAL - request took unknownNone (no CA certificates found) | time=unknown ``` What's troubling me is that the same command works fine when run on an Archlinux host. So it is probably a bug in packaging python, either in Archlinux or in Debian. But I think this problem can be solved in check_xmppng by removing these lines [check_xmppng#L338-L345](https://git.dittberner.info/jan/check_xmppng/src/commit/787115b4bb8020b2810612c01d35511c7aa55421/check_xmppng#L338-L345 ). My understanding is that check_xmppng first tries to make sure that some CA certificates are present before performing the real check. But it cannot work. As stated in python's doc [ssl.SSLContext.get_ca_certs](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs ), certificates in a capath directory aren’t loaded unless they have been used at least once. What do you think?
jan closed this issue 2021-03-07 14:15:06 +01:00
Owner

@pitchum thanks for reporting the issue. I could reproduce it in a Debian Buster container and removing the CA certificate statistics fixed the issue.

@pitchum thanks for reporting the issue. I could reproduce it in a Debian Buster container and removing the CA certificate statistics fixed the issue.
Author

Thanks for the fix. I hope it will be available in Debian Bullseye.

Thanks for the fix. I hope it will be available in Debian Bullseye.
Owner

I just uploaded the package to Debian unstable and if there are no new bugs found in the next few days it should go into Bullseye. We are in the soft-freeze already but the change should be minor enough.

I just uploaded the package to Debian unstable and if there are no new bugs found in the next few days it should go into Bullseye. We are in the soft-freeze already but the change should be minor enough.
Sign in to join this conversation.
No labels
No milestone
No project
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jan/check_xmppng#2
No description provided.