certificate verify failed and unable to add cert into trusted

[zoell]

Hi,

I am using a free StartSSL.com certificate at one of my applications and using this:
check-http.rb -s -u https://url_of_app:5520/test

I get the following error:
Request error: SSL_connect returned=1 errno=0 state=error: certificate verify failed

Any idea what is wrong? The certificate is not expired. Maybe I have to add it to the ca store somehow?

[eheydrick]

Hi @zoell. Sounds like the client is missing the root cert or the server isn't sending all the intermediate certs. You have a couple options. You can add the CA root cert to sensu's openssl certs. You could pass the CA root cert to the plugin with the --cacert flag. The least best option would be to disable cert checking with the -k flag, but that's a generally insecure practice.

[eheydrick]

@zoell were you able to resolve this?

[amwilson]

@eheydrick
How do you go about adding the CA root certs to sensu's openssl certs? does this remove the need to use the --cacert flag?

I'm having this issue but the code is generated from a list of hosts and only a few are affected by the missing intermediate so I'd like to avoid adding more flags. Adding the intermediate to the system certs doesn't seem to have any effect on what the plugin is using.

[jothoma1]

@amwilson
Did you find how to add CA certs to sensu ? i have a strange behaviour with the slack handler and it's probably something like this...
Thanks in advance

[amwilson]

@jothoma1
A colleague of mine did some further investigation into this and found even though the server was sending the full certificate chain. Rubys Net::HTTP didn't utilise the supplied certs and still looked for the intermediate on disk in the CApath.

For now I'm just putting the intermediate into /opt/sensu/embedded/ssl/certs and regenerating the hash'd filenames. This doesn't solve the issue with windows nodes however.

[jothoma1]

@amwilson Thanks for the info, for my case, i have stopped using the official slack handler and now i'm using a python one which works flawlessly :)

[majormoses]

I think what Eric was trying to say is use this option: https://github.com/sensu-plugins/sensu-plugins-http/blob/master/bin/check-http.rb#L122-L125

If that does not work I suspect it as @amwilson says and there is an upstream bug.

[vegardx]

I just like to point out that StartSSL has been deemed not trustworthy and removed from most systems. This started happening around October 2016 and should be in full effect now.

[majormoses]

I feel like we should rename this to reflect the issue being that it does not work with the current flags. We will not be doing anything by default to make any StartSSL certs work as they are not trusted for a legitimate reason...

[luisgmuniz]

Hi there!

Same problem here. In my case, the web server sends the intermediate certificates (so I haven't even tried to use --cacerts). Also, the certificate seems valid, I've verified it by means of openssl s_client URL:443/path
Oddly enough, openssl s_client reports the certificate as valid, whereas the HTTP request returns an HTTP 400 error. That's kind of correct because "/path/index.html" does exist, while "/index.html" doesn't.

So I'm starting to suspect that the problem is that the URL to check is of the form "https://URL/path", but at the same time "https://URL" does not exist.