FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]

[dwhitfield]

I suspect this will tell us it's open, but just to see if it's using a different mechanism, from XI, please run nmap remotehost -p 990

Is this FTP server accessible from the Internet? Would it be possible for you to PM one of the techs details so we can test? I understand if not, but it's worth a shot. Also, are you a customer by chance? If so, you could submit a ticket at https://support.nagios.com/tickets/ and we could set up a WebEx session.

[sav2880]

Starting Nmap 6.25 ( http://nmap.org ) at 2017-12-29 13:00 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds


Think it's time for me to engage the network team here.

[dwhitfield]

Maybe, but ping could be rejected and tcp still work. Did you try the -Pn that the nmap command suggests?

Based on https://github.com/matteocorti/check_ssl_cert/issues/7 , this looks like it might have been a bug that was fixed. What's the output of ./check_ssl_cert --version?

[sav2880]

Just did. That ruled it out.

-bash-4.1$ nmap HOSTNAME -p 990 -Pn
Starting Nmap 6.25 ( http://nmap.org ) at 2017-12-29 17:19 EST
Nmap scan report for HOSTNAME (xxx.xxx.xxx.xxx)
Host is up (0.029s latency).
PORT STATE SERVICE
990/tcp open ftps

[dwhitfield]

I suspect because it's a new install, but what's the output of ./check_ssl_cert --version?

[sav2880]

Code: Select all

check_ssl_cert version 1.60.0

is the version.

[kyang]

Could you run this command and post the output of this command.

Code: Select all

./check_ssl_cert -H <host> -P ftp -p 990 -d

This will show all of the debugging information.

For example, this is what I get when checking https on a non-http server.

Code: Select all

Error: verify depth is 6; socket: Connection refused; connect:errno=111
SSL_CERT CRITICAL 192.168.4.174: No certificate returned

I won't have a certificate because I don't have SSL configured.

Let us know your results. Thanks!

[sav2880]

Code: Select all

-bash-4.1$ ./check_ssl_cert -H [HOSTNAME] -P ftp -p 990 -d
[DBG] ROOT_CA =
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_version: 1.60.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] System info: Linux nagios1.bo3.e-dialog.com 2.6.32-642.6.1.el6.x86_64 #1 SMP Tue Oct 4 15:19:03 PDT 2016 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername [HOSTNAME]
'/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute
downloading certificate to /tmp
[DBG] [HOSTNAME] is not an IP address
[DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client   -starttls ftp -connect [HOSTNAME]:990 -servername [HOSTNAME] -verify 6     2> /tmp/check_ssl_certozjMU7 1> /tmp/check_ssl_certvJVbln
[DBG]   /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client   -starttls ftp -connect [HOSTNAME]:990 -servername [HOSTNAME] -verify 6     2> /tmp/check_ssl_certozjMU7 1> /tmp/check_ssl_certvJVbln"
[DBG] storing a copy of the retrieved certificate in [HOSTNAME].crt
[DBG] storing a copy of the OpenSSL errors in [HOSTNAME].error
Error: verify depth is 6
SSL_CERT CRITICAL [HOSTNAME]: No certificate returned

Possible that the older version of OpenSSL is affecting this?

[kyang]

I highly doubt it, since I am able to view my https cert on my server with the same openssl version.

Code: Select all

[root@localhost check_ssl_cert-1.60.0]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

Curious, but when you view this [DBG] storing a copy of the retrieved certificate in [HOSTNAME].crt.

Does this file have your cert inside? Most likely, the error is what it means. SSL_CERT CRITICAL [HOSTNAME]: No certificate returned

Code: Select all

cat [HOSTNAME].crt

Here's mine for example. (a bunch of other things as well, I just cut it off.)

Code: Select all

[root@localhost check_ssl_cert-1.60.0]# cat 192.168.4.125.crt
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
   i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCAvagAwIBAgICNUMwDQYJKoZIhvcNAQELBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B

Thanks, and let us know!