Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x509_cert input: certificate validation is not working as expected #6156

Closed
the-smooth-operator opened this issue Jul 23, 2019 · 1 comment · Fixed by #6159
Closed

x509_cert input: certificate validation is not working as expected #6156

the-smooth-operator opened this issue Jul 23, 2019 · 1 comment · Fixed by #6159
Assignees
@glinton
Labels
bug unexpected problem or unintended behavior

Comments

@the-smooth-operator
Copy link
Contributor

the-smooth-operator commented Jul 23, 2019
edited by glinton
Loading

Relevant telegraf.conf:

[[outputs.file]]

[[inputs.x509_cert]]
  sources = [
    "https://sha512.badssl.com:443",
    "https://expired.badssl.com:443",
    "https://preact-cli.badssl.com:443",
    "https://google.com:443",
  ]

System info:

Built from master rev. b9cb606
Linux.

Steps to reproduce:

  1. paste that configuration into a file
  2. build Telegraf from master and run ./telegraf --config config.conf --test

Expected behavior:

I don't see any verification_error

Actual behavior:

The parsing is reporting first an invalid cert, and later a valid one. This happens with all the sites I tested.

> x509_cert,common_name=*.badssl.com,country=US,host=banbao,locality=Walnut\ Creek,organization=Lucas\ Garron,province=California,source=https://sha512.badssl.com:443,verification=invalid age=74079777i,enddate=1585137600i,expiry=21262622i,startdate=1489795200i,verification_code=1i,verification_error="x509: certificate signed by unknown authority" 1563874978000000000
> x509_cert,common_name=DigiCert\ SHA2\ Secure\ Server\ CA,country=US,host=banbao,organization=DigiCert\ Inc,source=https://sha512.badssl.com:443,verification=valid age=201130977i,enddate=1678276800i,expiry=114401822i,startdate=1362744000i,verification_code=0i 1563874978000000000

> x509_cert,common_name=www.google.com,country=US,host=banbao,locality=Mountain\ View,organization=Google\ LLC,province=California,source=https://www.google.com:443,verification=invalid age=3028799i,enddate=1568103300i,expiry=4228322i,startdate=1560846178i,verification_code=1i,verification_error="x509: certificate signed by unknown authority" 1563874978000000000
> x509_cert,common_name=Google\ Internet\ Authority\ G3,country=US,host=banbao,organization=Google\ Trust\ Services,source=https://www.google.com:443,verification=valid age=66390135i,enddate=1639526442i,expiry=75651464i,startdate=1497484842i,verification_code=0i 1563874978000000000

Additional info:

The feature was merged yesterday on #6143
@glinton glinton added the bug unexpected problem or unintended behavior label Jul 23, 2019
@glinton glinton self-assigned this Jul 23, 2019
@glinton glinton mentioned this issue Jul 23, 2019
Merged
einar added a commit to SUNET/docker-influxdb2 that referenced this issue Nov 5, 2020
@einar
Well that didnt work, found out we run quite old Telegraf v1.10.4 tha…
40d4d48 
…t has certificate bugs ("influxdata/telegraf#6156"). Will see how to proceed next week (probably update or clone Telegraf)
@faabsen
Copy link

faabsen commented Apr 14, 2021
edited
Loading

It seems like the bug is stillt around, after using the image (v1.18.0/v1.18.1) from docker hub I can reproduce similar errors:
depending on how the URLs are specified (the order is important) there are different, faulty results. Anyone having a similar behavior?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@glinton glinton

Labels
bug unexpected problem or unintended behavior
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add intermediates when verifying cert in x509 input influxdata/telegraf
3 participants
@faabsen @glinton @the-smooth-operator