Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update handling of performance data metrics to allow emitting negative expiration values #529

Closed
atc0005 opened this issue Feb 28, 2023 · 0 comments · Fixed by #534
Closed

Update handling of performance data metrics to allow emitting negative expiration values #529

atc0005 opened this issue Feb 28, 2023 · 0 comments · Fixed by #534
Assignees
@atc0005
Labels
documentation Improvements or additions to documentation output/perfdata Service Perf Data (aka, "performance data") plugin/check_cert
Milestone
v0.12.0

Comments

@atc0005
Copy link
Owner

atc0005 commented Feb 28, 2023
edited
Loading

Overview

Currently, the check_cert plugin uses 0 as the minimum expiration value for expires_leaf and expires_intermediate metrics.

Here is an example of checking expires.badssl.com:

$ check_cert.exe --server expired.badssl.com
4:45PM ERR cmd\check_cert\main.go:428 > validation checks failed for certificate chain error="summary: 1 of 3 validation checks failed" age_critical=15 age_warning=30 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=false cert_check_timeout=10s checks_failed=1 checks_ignored=1 checks_successful=1 checks_total=3 expected_sans_entries= filename= logging_level=info port=443 server=expired.badssl.com version="check-cert x.y.z (https://github.com/atc0005/check-cert)"
CRITICAL: Expiration validation failed: leaf cert "*.badssl.com" expired 2878d 22h ago (on 2015-04-12 23:59:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 1 FAILED (Expiration), 1 SUCCESSFUL (Hostname)]

**VALIDATION ERRORS**

* expiration validation failed: expired certificates found

**VALIDATION CHECKS REPORT**

3 certs retrieved for service running on expired.badssl.com (104.154.89.105) at port 443 using host value "expired.badssl.com"


PROBLEM RESULTS:

[!!] Expiration validation failed: leaf cert "*.badssl.com" expired 2878d 22h ago (on 2015-04-12 23:59:59 +0000 UTC)

Certificate 1 of 3 (leaf):
        Name: CN=*.badssl.com,OU=Domain Control Validated+OU=PositiveSSL Wildcard
        SANs entries: [*.badssl.com badssl.com]
        Issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
        Serial: 4A:E7:95:49:FA:9A:BE:3F:10:0F:17:A4:78:E1:69:09
        Issued On: 2015-04-09 00:00:00 +0000 UTC
        Expiration: 2015-04-12 23:59:59 +0000 UTC
        Status: [EXPIRED] 2878d 22h ago

Certificate 2 of 3 (intermediate):
        Name: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
        SANs entries: []
        Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
        Serial: 2B:2E:6E:EA:D9:75:36:6C:14:8A:6E:DB:A3:7C:8C:07
        Issued On: 2014-02-12 00:00:00 +0000 UTC
        Expiration: 2029-02-11 23:59:59 +0000 UTC
        Status: [OK] 2175d 1h remaining

Certificate 3 of 3 (intermediate):
        Name: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
        SANs entries: []
        Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
        Serial: 27:66:EE:56:EB:49:F3:8E:AB:D7:70:A2:FC:84:DE:22
        Issued On: 2000-05-30 10:48:38 +0000 UTC
        Expiration: 2020-05-30 10:48:38 +0000 UTC
        Status: [EXPIRED] 1004d 11h ago


IGNORED RESULTS:

[--] SANs List validation ignored: 0 SANs entries specified, 2 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]


SUCCESS RESULTS:

[OK] Hostname validation using value "expired.badssl.com" successful for leaf certificate

 | 'certs_present_intermediate'=2;;;; 'certs_present_leaf'=1;;;; 'certs_present_root'=0;;;; 'certs_present_unknown'=0;;;; 'expires_intermediate'=0d;30;15;0; 'expires_leaf'=0d;30;15;0; 'time'=127ms;;;;

Instead of stopping at zero, it is likely more useful to emit the actual days past expiration so that systems collecting metrics can show how long a certificate stays in an expired state before it is replaced.

0 was set as the min field for both metrics as part of GH-475, so that will also need to be changed if we update the logic to emit negative expiration values.

References
@atc0005 atc0005 added documentation Improvements or additions to documentation question Further information is requested plugin/check_cert output/perfdata Service Perf Data (aka, "performance data") labels Feb 28, 2023
@atc0005 atc0005 added this to the v0.12.0 milestone Feb 28, 2023
@atc0005 atc0005 self-assigned this Feb 28, 2023
@atc0005 atc0005 mentioned this issue Mar 2, 2023
Merged
atc0005 added a commit that referenced this issue Mar 2, 2023
@atc0005
Permit negative expiration perfdata values
dfad480 
- remove the limiter that disallowed negative expiration
  value (returning 0 as the baseline)
- remove the `min` perfdata field value of 0 indicating that
  this was as low as the metric value could go

refs GH-529
@atc0005 atc0005 removed the question Further information is requested label Mar 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atc0005 atc0005

Labels
documentation Improvements or additions to documentation output/perfdata Service Perf Data (aka, "performance data") plugin/check_cert
Projects
None yet
Milestone
v0.12.0
Development

Successfully merging a pull request may close this issue.

Permit negative expiration perfdata values atc0005/check-cert
1 participant
@atc0005