Package: nagios-plugins-contrib Version: 21.20170222 Severity: important Dear Maintainer,
The check_ssl_cert plugin of nagios-plugins-contrib can't use TLS SNI due to a bug in the way it detects available options of `openssl s_client`. It use a fake option when running `openssl s_client` to check the output for the correct options. Here is the comment that explains this behaviour: 927 ################################################################################ 928 # Check if openssl s_client supports the -servername option 929 # 930 # openssl s_client does not have a -help option 931 # => We supply an invalid command line option to get the help 932 # on standard error 933 # This bug appears because the Debian Stretch's version of openssl now have a `-help` option: # openssl s_client not_a_real_option s_client: Use -help for summary. # openssl s_client -help Usage: s_client [options] Valid options are: ... Here is the output of check_ssl_cert on one of my domain that requires SNI: # /usr/lib/nagios/plugins/check_ssl_cert -v -H arcaik.net expect not available timeout available (/usr/bin/timeout) found GNU date with timestamp support: enabling date computations '/usr/bin/openssl s_client' does not support '-servername': disabling virtual server support downloading certificate to /tmp parsing the certificate file cannot find the CA Issuers in the certificate: disabling OCSP checks The certificate will expire in 3649 day(s) SSL_CERT CRITICAL subject=CN = vps01.br0.fr: Cannot verify certificate, self signed certificate|days=3649;;;; I can't use this version of check_ssl_cert to monitor my certs anymore. Is it possible to fix the script for the stable distribution? I already have a work around but I would rather use the Debian shipped plugins. Best regards -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) nagios-plugins-contrib depends on no packages. Versions of packages nagios-plugins-contrib recommends: ii bind9-host 1:9.10.3.dfsg.P4-12.3+deb9u3 pn binutils <none> pn freeipmi-tools <none> ii libc6 2.24-11+deb9u1 pn libdata-validate-domain-perl <none> pn libdata-validate-ip-perl <none> pn libdate-manip-perl <none> pn libdbd-mysql-perl <none> pn libio-socket-ssl-perl <none> pn libipc-run-perl <none> ii liblocale-gettext-perl 1.07-3+b1 pn liblwp-useragent-determined-perl <none> pn libmail-imapclient-perl <none> pn libmemcached11 <none> pn libmemcachedutil2 <none> ii libmonitoring-plugin-perl 0.39-1 pn libnet-cups-perl <none> ii libnet-dns-perl 1.07-1 pn libnet-dns-sec-perl <none> pn libnet-smtp-ssl-perl <none> pn libnet-smtp-tls-perl <none> pn libnet-smtpauth-perl <none> pn libnet-snmp-perl <none> pn libnet-ssleay-perl <none> pn libreadonly-perl <none> pn libredis-perl <none> pn libtimedate-perl <none> pn libvarnishapi1 <none> pn libwebinject-perl <none> pn libxml-simple-perl <none> pn libyaml-syck-perl <none> ii lsof 4.89+dfsg-0.1 pn nagios-plugins-basic <none> ii openssl 1.1.0f-3+deb9u1 ii perl 5.24.1-3+deb9u2 ii perl-base [libsocket-perl] 5.24.1-3+deb9u2 ii python 2.7.13-2 pn python-pymongo <none> ii ruby 1:2.3.3 ii snmp 5.7.3+dfsg-1.7 ii whois 5.2.17~deb9u1 Versions of packages nagios-plugins-contrib suggests: pn backuppc <none> pn cciss-vol-status <none> pn expect <none> pn libsys-virt-perl <none> pn moreutils <none> pn mpt-status <none> pn nagios-plugin-check-multi <none> pn percona-toolkit <none> pn perl-doc <none> ii python2.7 2.7.13-2 pn smstools <none> -- no debconf information