jan/check_xmppng
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Check fails (no CA certificates found) #2

New issue
Closed
opened 2021-03-07 12:02:24 +01:00 by Ghost · 3 comments
Ghost commented 2021-03-07 12:02:24 +01:00
Copy link

On a Debian host, check_xmppng yields wrong results when trying to check certificates.
Example:

$ ./check_xmppng -H xmpp.chapril.org --servername chapril.org --warn-days 15 --crit-days 8 --s2s
XMPP CRITICAL - request took unknownNone (no CA certificates found) | time=unknown

What's troubling me is that the same command works fine when run on an Archlinux host. So it is probably a bug in packaging python, either in Archlinux or in Debian.

But I think this problem can be solved in check_xmppng by removing these lines check_xmppng#L338-L345.

My understanding is that check_xmppng first tries to make sure that some CA certificates are present before performing the real check. But it cannot work. As stated in python's doc ssl.SSLContext.get_ca_certs, certificates in a capath directory aren’t loaded unless they have been used at least once.

What do you think?

On a Debian host, check_xmppng yields wrong results when trying to check certificates. Example: ``` $ ./check_xmppng -H xmpp.chapril.org --servername chapril.org --warn-days 15 --crit-days 8 --s2s XMPP CRITICAL - request took unknownNone (no CA certificates found) | time=unknown ``` What's troubling me is that the same command works fine when run on an Archlinux host. So it is probably a bug in packaging python, either in Archlinux or in Debian. But I think this problem can be solved in check_xmppng by removing these lines [check_xmppng#L338-L345](https://git.dittberner.info/jan/check_xmppng/src/commit/787115b4bb8020b2810612c01d35511c7aa55421/check_xmppng#L338-L345 ). My understanding is that check_xmppng first tries to make sure that some CA certificates are present before performing the real check. But it cannot work. As stated in python's doc [ssl.SSLContext.get_ca_certs](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.get_ca_certs ), certificates in a capath directory aren’t loaded unless they have been used at least once. What do you think?
jan closed this issue 2021-03-07 14:15:06 +01:00
jan commented 2021-03-07 14:16:40 +01:00
Owner
Copy link

@pitchum thanks for reporting the issue. I could reproduce it in a Debian Buster container and removing the CA certificate statistics fixed the issue.

@pitchum thanks for reporting the issue. I could reproduce it in a Debian Buster container and removing the CA certificate statistics fixed the issue.
Ghost commented 2021-03-07 14:27:18 +01:00
Author
Copy link

Thanks for the fix. I hope it will be available in Debian Bullseye.

Thanks for the fix. I hope it will be available in Debian Bullseye.
jan commented 2021-03-07 15:22:39 +01:00
Owner
Copy link

I just uploaded the package to Debian unstable and if there are no new bugs found in the next few days it should go into Bullseye. We are in the soft-freeze already but the change should be minor enough.

I just uploaded the package to Debian unstable and if there are no new bugs found in the next few days it should go into Bullseye. We are in the soft-freeze already but the change should be minor enough.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
debian
jessie-backports
debian/0.3.3-1
0.3.3
debian/0.3.2-3
debian/0.3.2-2
debian/0.3.2-1
0.3.2
0.3.1
debian/0.3.0-1
0.3.0
debian/0.2.1-1
0.2.1
debian/0.2-1
0.2
debian/0.1.2-1.bpo8+1
debian/0.1.2-1
0.1.2
0.1.1
0.1
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jan/check_xmppng#2
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?