Check ssl cert expiry cronjob fails to load a certificate and stops with an error

With the upcoming version 6.3.5 the diagnostic should be easier because the script prints out which cert is currently processed. This will help you to identify the cert which is causing the problem. In the meanwhile you have to find out why the cert can not be loaded by the openssl command. You will find the certs in /etc/ssl/certs/ and the are named openmediavault-*. Don't know why it is failing, but maybe the root file system is corrupted incl. the cert file.

Zitat von klaussemmler

I installed the update and found the problem. In /etc/ssl/certs was a folder, that was named like a certificate and this tripped up the cronjob. I do not know why there was such a folder as I never created it in the first place but now it is gone.

The debug output still seemed a little odd:

Code

Validating the SSL certificate /etc/ssl/certs/openmediavault-955ffe80-857a-46fc-bc3b-f06f08162b0a.crt ...
unable to load certificate
140373500593472:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
INFO: The SSL certificate openmediavault-955ffe80-857a-46fc-bc3b-f06f08162b0a.crt is valid.

On the one hand the validation fails but on the other hand it says, that the cert is valid (even though it is certainly not). I removed it and even after a reboot all seems fine.

Hmmm, that's right. Don't know how this can happen because according to this the script should exit on failure because -e is set. So it might be that openssl does not exit with an error code.

It's not a nice behaviour, but i do not see a big problem here. Suggestions to improve this are welcome.

klaussemmler Could you please run

# openssl x509 -enddate -noout -in /etc/ssl/certs/openmediavault-955ffe80-857a-46fc-bc3b-f06f08162b0a.crt 
# echo $?

and post the output. Maybe the exit code is a special one that needs to be checked explicitly.

Hmmm, i simply added openssl x509 -enddate -noout -in /etc/ssl/certs/openmediavault-955ffe80-857a-46fc-bc3b-f06f08162b0a.crt into the cron stript and executed it. The script aborted as expected, no The SSL certificate ... is valid output.

# /etc/cron.daily/openmediavault-check_ssl_cert_expiry 
Perform a check for expired SSL certificates.
Validating the SSL certificate /etc/ssl/certs/openmediavault-147fcafa-75fc-470e-bcb0-fd61b48286a0.crt ...
Can't open /etc/ssl/certs/openmediavault-955ffe80-857a-46fc-bc3b-f06f08162b0a.crt for reading, No such file or directory
140654221378880:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('/etc/ssl/certs/openmediavault-955ffe80-857a-46fc-bc3b-f06f08162b0a.crt','r')
140654221378880:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
unable to load certificate

What is the default shell of your system?

Zitat von klaussemmler

I use rbash as default and use su to login as root if necessary.

I don't know that shell, but maybe that is the reason that this shell has a different behaviour when using set -e.

Zitat von klaussemmler

RBash can be used as the default shell when logging in with ssh. It is a reduced bash with less features and access rights.

set -e has no output when launching in rbash.. When logging in with su the output of the command is also empty.

This is a flag that configures the behaviour of scripts.

Based upon your experience i've adapted the whole code to explicitly define the shell that is used by the scripts. Hopefully this will fix your issue.