Getting the following error:
[inputs.x509_cert] Error in plugin: cannot get SSL cert ‘https://server:443 ’: tls: failed to parse certificate from server: x509: invalid certificate policies.
I test it on the server the telegraf instance is running and it works fine:
openssl s_client -servername server -connect server:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jun 21 22:55:36 2022 GMT
notAfter=Jun 20 22:55:36 2025 GMT
My other certs are working fine with telegraf. What can I do to troubleshoot?
yosiasz
February 15, 2023, 4:25pm
2
did you follow this tls/ssl setup?
It’s working with the other certs by using that doc
I see the code issue causing it:
yosiasz
February 15, 2023, 8:13pm
6
i doubt the issue is the code if all other servers work. what is net difference of server4
It is from a local CA not Digicert
Is there a --ignore-ca-cert switch?
yosiasz
February 15, 2023, 8:32pm
9
for what? openssl? your questions are too short and vague
Sorry. In the telegraf config. Maybe the local CA is throwing it off
yosiasz
February 15, 2023, 8:47pm
11
gotcha. Then what would be the use of tls/ssl with cert ignored? is this just to do a test of the cert issue?
Cert expiration date. I’m not trying to ignore the cert but the local certificate authority. That’s the only difference between this and the other certs
I ran telegraf --test | grep x509.
I see the first three certs get tested, but the fourth is ignored or nothing in output in regards to the cert. Is it’s placement in the config a contributing factor?
yosiasz
February 16, 2023, 12:58am
14
jasonmallory:
Cert expiration date
what question is this vague answer related to? Please show us your fill config file
Here is the config:
[[inputs.x509_cert]]
sources = [“https://server1:443 ”, “https://www.server2:443 ”, “https://server3:443 ”, “https://server4:443 ”]
timeout = “15s”
exclude_root_certs = true
Talked to Influx about this issue. Has to do with a bug in the code:
opened 02:23PM - 19 Nov 21 UTC
closed 07:18PM - 21 Dec 21 UTC
NeedsFix
release-blocker
<!--
Please answer these questions before submitting your issue. Thanks!
For q… uestions please use one of our forums: https://github.com/golang/go/wiki/Questions
-->
### What version of Go are you using (`go version`)?
<pre>
$ go version
go1.17.3 windows/amd64
</pre>
### Does this issue reproduce with the latest release?
Issue observed while connecting to LDAPS serwer with certificate generated by Microsoft Active Directory with Microsoft's specific X509v3 Certificate Policies
error message is "x509: invalid certificate policies"
it comes from parseCertificatePoliciesExtension in x509 parser
```
Output of "openssl x509 -in my.crt --text"
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:00:04:9b:44:6f:c6:43:9c:d8:f5:3a:00:00:03:00:04:9b:44
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = pl, DC = com, DC = <edited>, CN = <edited> Subordinate CA
Validity
Not Before: Sep 20 11:05:54 2021 GMT
Not After : Sep 20 11:05:54 2023 GMT
Subject: CN = <edited>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dd:fd:8b:7e:bd:e7:50:f0:c1:bd:8f:37:d6:e0:
<edited>
e8:13:8a:ae:c7:26:73:b5:81:4e:c7:ab:39:2a:ef:
fb:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
1.3.6.1.4.1.311.21.7:
0..&+.....7.........M...".......nK...M...b..e...
X509v3 Extended Key Usage:
TLS Web Client Authentication, Signing KDC Response, TLS Web Server Authentication, Microsoft Smartcard Login
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.311.21.8.3719450.11115469.11946914.3506198.8878958.75.1492336001.1138714952
1.3.6.1.4.1.311.21.10:
010
..+.......0...+......0
..+.......0..
+.....7...
X509v3 Subject Key Identifier:
04:7B:E7:F9:21:DB:92:0E:21:DE:70:B2:CD:FC:16:49:0D:11:46:92
<edited>
```
### What operating system and processor architecture are you using (`go env`)?
<details><summary><code>go env</code> Output</summary><br><pre>
$ go env
set GO111MODULE=
set GOARCH=amd64
set GOBIN=
set GOEXE=.exe
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GONOPROXY=
set GONOSUMDB=
set GOOS=windows
set GOPRIVATE=
set GOPROXY=https://proxy.golang.org,direct
set GOROOT=D:\Projekty\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=D:\Projekty\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.17.3
set GCCGO=gccgo
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=1
set GOMOD=D:\Projekty\go\bin\go.mod
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-m64 -mthreads -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\luty4\AppData\Local\Temp\go-build1235732887=/tmp/go-build -gno-record-
gcc-switches
</pre></details>
### What did you do?
<!--
If possible, provide a recipe for reproducing the error.
A complete runnable program is good.
A link on play.golang.org is best.
-->
https://play.golang.org/p/WI9bl64Z6wU
### What did you expect to see?
```
**** OID with 4 bytes
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
ASN.1 Encoding: 060e2b060104018237150885c7ccfb01
Decode result: true
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
```
### What did you see instead?
```
**** OID with 4 bytes
Object Identifier: 1.3.6.1.4.1.311.21.8.1492336001
ASN.1 Encoding: 060e2b060104018237150885c7ccfb01
Decode result: false
Object Identifier:
```
My code is right so a bug is getting submitted
1 Like