Expiry warning breaks when insecure option is used

[cronnelly]

The wrong expiry date is calculated when the -k (insecure) option is passed in. This then breaks expiry warning functionality.

For example:

/opt/sensu/embedded/bin/ruby check-http.rb -s -e 10000 -u 'https://www.google.com/'
CheckHttp WARNING: Certificate will expire 2017-05-17 08:58:00 UTC

And then with -k:

/opt/sensu/embedded/bin/ruby check-http.rb -s -e 10000 -u 'https://www.google.com/' -k
CheckHttp WARNING: Certificate will expire 2018-08-21 04:00:00 UTC

[majormoses]

That is very interesting indeed. I have replicated at least partial issue against master:

$ ./bin/check-http.rb -s -e 1000 -u https://sensuapp.org
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

$ ./bin/check-http.rb -s -k -e 1000 -u https://sensuapp.org
CheckHttp OK: 200, 147557 bytes

[majormoses]

Whats strange that other than its declaration the only place I see it used is here: https://github.com/sensu-plugins/sensu-plugins-http/blob/2.0.2/bin/check-http.rb#L248

[majormoses]

I verified that this does not change depending on the option: https://github.com/sensu-plugins/sensu-plugins-http/blob/2.0.2/bin/check-http.rb#L251

[majormoses]

Here is where its actually warning: https://github.com/sensu-plugins/sensu-plugins-http/blob/2.0.2/bin/check-http.rb#L297-L299 I validated that the presence or lack of -k does modify the value of warn_cert_expire and returns nil rather than the time object we expect.

[majormoses]

I notice an unrelated bug:
we use expire_warn_date = Time.now + (config[:expiry] * 60 * 60 * 24) which returns in local time yet the datetime object returned back is in UTC and can be fixed by using expire_warn_date = Time.now.utc + (config[:expiry] * 60 * 60 * 24)

[majormoses]

I can get it fail with self signed cert:

$ ./bin/check-http.rb -k -s -e 1118 -u https://sensuapp.org
"#################"
"preverify_ok:     false"
"expire_warn_date: 2020-05-31 04:41:42 UTC"
"ssl_context:      2073956768635082639"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is less than 2020-05-31 04:41:42 UTC"
2020-05-30 10:48:38 UTC
CheckHttp WARNING: Certificate will expire 2020-05-30 10:48:38 UTC

And it passing:

$ ./bin/check-http.rb -k -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     false"
"expire_warn_date: 2020-05-30 04:42:23 UTC"
"ssl_context:      -3923783692178329667"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 04:42:23 UTC"
nil
CheckHttp OK: 200, 147557 bytes

[majormoses]

using the same thresholds both fail:

$ ./bin/check-http.rb -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      -2011395565126727710"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 04:43:14 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      777758307400937002"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 04:43:14 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      217984350180844890"
"expires:          2029-02-11 23:59:59 UTC"
"2029-02-11 23:59:59 UTC is greater than 2020-05-30 04:43:14 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 04:43:14 UTC"
"ssl_context:      1108742464139091790"
"expires:          2019-06-02 23:59:59 UTC"
"2019-06-02 23:59:59 UTC is less than 2020-05-30 04:43:14 UTC"
2019-06-02 23:59:59 UTC
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

$ ./bin/check-http.rb -s -e 1118 -u https://sensuapp.org
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      -2025936412499420192"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is less than 2020-05-31 04:43:33 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      3906575624049521192"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is less than 2020-05-31 04:43:33 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      1171332554718302776"
"expires:          2029-02-11 23:59:59 UTC"
"2029-02-11 23:59:59 UTC is greater than 2020-05-31 04:43:33 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-31 04:43:33 UTC"
"ssl_context:      942514266819725152"
"expires:          2019-06-02 23:59:59 UTC"
"2019-06-02 23:59:59 UTC is less than 2020-05-31 04:43:33 UTC"
2019-06-02 23:59:59 UTC
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

[majormoses]

looks like one of the certs are set to expire and my guess would be an intermediate cert but I have not verified this. I will try to take a look tomorrow if I have some time.

[majormoses]

Looks like its comodos (in this case) that makes it fail with the full chain:

$ ./bin/check-http.rb -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 05:02:43 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 05:02:43 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority"
"expires:          2029-02-11 23:59:59 UTC"
"2029-02-11 23:59:59 UTC is greater than 2020-05-30 05:02:43 UTC"
"#################"
"preverify_ok:     true"
"expire_warn_date: 2020-05-30 05:02:43 UTC"
"ssl_context:      /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA"
"expires:          2019-06-02 23:59:59 UTC"
"2019-06-02 23:59:59 UTC is less than 2020-05-30 05:02:43 UTC"
2019-06-02 23:59:59 UTC
CheckHttp WARNING: Certificate will expire 2019-06-02 23:59:59 UTC

Where as the cert itself does not:

$ ./bin/check-http.rb -k -s -e 1117 -u https://sensuapp.org
"#################"
"preverify_ok:     false"
"expire_warn_date: 2020-05-30 05:02:27 UTC"
"ssl_context:      /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root"
"expires:          2020-05-30 10:48:38 UTC"
"2020-05-30 10:48:38 UTC is greater than 2020-05-30 05:02:27 UTC"
nil
CheckHttp OK: 200, 147557 bytes

[majormoses]

@cronnelly can you verify the same behavior running the equivalent commands against your env?
I have pushed the debug statements that will give you similar output to above: https://github.com/sensu-plugins/sensu-plugins-http/blob/feature/debug-self-signed/bin/check-http.rb

[majormoses]

@cronnelly you might consider using the sensu-plugins-ssl checks as they are more geared towards this. I do see there is an option to skip the chain verification: https://github.com/sensu-plugins/sensu-plugins-ssl/blob/master/bin/check-ssl-host.rb#L96 even if we dont fix this I would certainly like to document it this behavior and recommendations.

[majormoses]

I spoke with @eheydrick about this I don't see anyone "fixing" this unless you want to donate one. I will put together a pr to document this though as it's certainly a gotcha.