Add certificate verification status to x509_cert input #6143
Conversation
glinton
added
the
feat
| } | ||
|
|
||
| func (c *X509Cert) getCert(u *url.URL, timeout time.Duration) ([]*x509.Certificate, *tls.Config, error) { | ||
| tlsCfg, err := c.ClientConfig.TLSConfig() |
There was a problem hiding this comment.
It would make sense to set this up once in an Init function. Since it is used in the parent function, I would have this function take the tls.Config instead of returning it.
| fields := getFields(cert, now) | ||
| tags := getTags(cert.Subject, location) | ||
|
|
||
| opts := x509.VerifyOptions{} | ||
| if i == 0 { |
There was a problem hiding this comment.
Here would be a great place for a comment:
// The first certificate is the leaf/end-entity certificate which needs DNS
// name validation against the URL hostname.
| _, err = cert.Verify(opts) | ||
| if err == nil { | ||
| tags["validation"] = "success" | ||
| fields["validation"] = 0 |
There was a problem hiding this comment.
Don't name the tag and field with the same key since it is a bit tricky to query, instead use validation and validation_code.
I'm not totally on board with the validation key, the validation is always a success, its just that sometimes the cert is invalid. What do you think about verification=valid, verification=invalid. Sending the error is a bit of a new pattern, but I think it will work.
There was a problem hiding this comment.
I do like verification and verification_code
| } else { | ||
| tags["verification"] = "invalid" | ||
| fields["verification"] = 1 | ||
| fields["validation_error"] = err.Error() |
plugins/inputs/x509_cert/README.md
Outdated
| - fields: | ||
| - validation (int) | ||
| - validation_error (string) |
Resolves #4877
This always sets
insecure_skip_verifyas it verifies the cert once it's been collected/parsed.To verify a self-signed cert (remote endpoint or file), set the
tls_cato the self-signing ca, or the self-signed cert itself for validation to be successful.Alternate to #6139