Page 2 of 2
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Fri Dec 29, 2017 10:12 am
by dwhitfield
I suspect this will tell us it's open, but just to see if it's using a different mechanism, from XI, please run
nmap remotehost -p 990
Is this FTP server accessible from the Internet? Would it be possible for you to PM one of the techs details so we can test? I understand if not, but it's worth a shot. Also, are you a customer by chance? If so, you could submit a ticket at
https://support.nagios.com/tickets/ and we could set up a WebEx session.
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Fri Dec 29, 2017 1:05 pm
by sav2880
Starting Nmap 6.25 (
http://nmap.org ) at 2017-12-29 13:00 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.08 seconds
Think it's time for me to engage the network team here.
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Fri Dec 29, 2017 1:33 pm
by dwhitfield
Maybe, but ping could be rejected and tcp still work. Did you try the
-Pn that the nmap command suggests?
Based on
https://github.com/matteocorti/check_ssl_cert/issues/7 , this looks like it might have been a bug that was fixed. What's the output of
./check_ssl_cert --version?
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Fri Dec 29, 2017 5:20 pm
by sav2880
Just did. That ruled it out.
-bash-4.1$ nmap HOSTNAME -p 990 -Pn
Starting Nmap 6.25 (
http://nmap.org ) at 2017-12-29 17:19 EST
Nmap scan report for HOSTNAME (xxx.xxx.xxx.xxx)
Host is up (0.029s latency).
PORT STATE SERVICE
990/tcp open ftps
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Mon Jan 01, 2018 4:09 pm
by dwhitfield
I suspect because it's a new install, but what's the output of ./check_ssl_cert --version?
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Thu Jan 04, 2018 2:46 pm
by sav2880
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Thu Jan 04, 2018 4:44 pm
by kyang
Could you run this command and post the output of this command.
Code: Select all
./check_ssl_cert -H <host> -P ftp -p 990 -d
This will show all of the debugging information.
For example, this is what I get when checking https on a non-http server.
Code: Select all
Error: verify depth is 6; socket: Connection refused; connect:errno=111
SSL_CERT CRITICAL 192.168.4.174: No certificate returned
I won't have a certificate because I don't have SSL configured.
Let us know your results. Thanks!
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Tue Jan 09, 2018 1:57 pm
by sav2880
Code: Select all
-bash-4.1$ ./check_ssl_cert -H [HOSTNAME] -P ftp -p 990 -d
[DBG] ROOT_CA =
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_version: 1.60.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] System info: Linux nagios1.bo3.e-dialog.com 2.6.32-642.6.1.el6.x86_64 #1 SMP Tue Oct 4 15:19:03 PDT 2016 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername [HOSTNAME]
'/usr/bin/openssl s_client' does not support '-xmpphost': disabling 'to' attribute
downloading certificate to /tmp
[DBG] [HOSTNAME] is not an IP address
[DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client -starttls ftp -connect [HOSTNAME]:990 -servername [HOSTNAME] -verify 6 2> /tmp/check_ssl_certozjMU7 1> /tmp/check_ssl_certvJVbln
[DBG] /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client -starttls ftp -connect [HOSTNAME]:990 -servername [HOSTNAME] -verify 6 2> /tmp/check_ssl_certozjMU7 1> /tmp/check_ssl_certvJVbln"
[DBG] storing a copy of the retrieved certificate in [HOSTNAME].crt
[DBG] storing a copy of the OpenSSL errors in [HOSTNAME].error
Error: verify depth is 6
SSL_CERT CRITICAL [HOSTNAME]: No certificate returned
Possible that the older version of OpenSSL is affecting this?
Re: FTPS (FTP over SSL) Certificate Monitoring [CORRECTED]
Posted: Tue Jan 09, 2018 5:19 pm
by kyang
I highly doubt it, since I am able to view my https cert on my server with the same
openssl version.
Code: Select all
[root@localhost check_ssl_cert-1.60.0]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
Curious, but when you view this
[DBG] storing a copy of the retrieved certificate in [HOSTNAME].crt.
Does this file have your cert inside? Most likely, the error is what it means.
SSL_CERT CRITICAL [HOSTNAME]: No certificate returned
Here's mine for example. (a bunch of other things as well, I just cut it off.)
Code: Select all
[root@localhost check_ssl_cert-1.60.0]# cat 192.168.4.125.crt
CONNECTED(00000003)
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/[email protected]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCAvagAwIBAgICNUMwDQYJKoZIhvcNAQELBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDDBVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
Thanks, and let us know!