TLS Expiry not checking intermediate redirect targets #3921
Comments
|
One possibility that was discussed internally - is the expiration check handled in a separate https operation from the service check itself? Is there any chance that check is not sending SNI part of the interaction? This particular cert was being delivered from a proxy server that hands out the certs via SNI, and the "default" cert (with no SNI element) is not expired. |
|
|
|
Realized that easiest way to test this would just be to define a 90 day expiration warning on a server with a standard letsencrypt issued cert - that should fail almost immediately if the check is working properly. |
|
So I set a 95 day expiration warning - and immediately received alerts from a FEW of my services, but NOT all that I would have expected. Also noticed something additional - on ONE of the servers - the certificate error reported:
That particular server kicks over to google for OIDC authentication. It really shouldn't be reporting the certificate of the target server - especially when the ACTUAL certificate on that box is set to expire in about 34 days. It should be reporting the certificate status before redirections are applied. Hmm... That's what caused my initial problem, the servers that had the issue with all do redirects to OIDC/SAML auth providers, who's certificates are NOT expiring. |
|
I think to do this and have it actually give the correct results, the code needs to do something leveraging the axios "beforeRedirect" callback function. |
nneul
changed the title
|
Confirmed - just set up an explicit monitor with redirects disabled, and immediately started getting the expiry alert. So at least I've got a workaround at the moment - I can define an extra "0 redirects" monitor for every https monitor - however, ideally, this should probably perform the tls cert check on every hop. |
|
Could you edit the title to something shorter like See https://github.com/louislam/uptime-kuma/blob/master/CONTRIBUTING.md if you are able to provide a fix for this behaviour ^^ |
nneul
changed the title
CommanderStorm
added
the
area:cert-expiry
🛡️ Security Policy
Description
Had a service's cert expire today, haven't touched monitors for this for several weeks at least, and have received no notices until UTC rollover today that the cert fully expired. Monitor is configured for default 21/14/7.
👟 Reproduction steps
Not sure yet other than just having a cert that is pending expiration. Going to try to see if I can recreate scenario.
👀 Expected behavior
Some sort of alert at the defined thresholds.
😓 Actual Behavior
Only notified when it actually fully expired.
🐻 Uptime-Kuma Version
1.23.2
💻 Operating System and Arch
Ubuntu 20.04 x86
🌐 Browser
Chrome
🐋 Docker Version
24.0.6
🟩 NodeJS Version
No response
📝 Relevant log output
No response
The text was updated successfully, but these errors were encountered: