Add certificate verification status to the x509_cert input

[danielnelson]

Feature Request

Proposal:

Add certificate verification status to the x509_cert input.

Current behavior:

Certificate validation is not reported, some aspects can be computed at query time but some checks are not performed.

Desired behavior:

Validate the certificate and report the status, potentially using https://golang.org/pkg/crypto/x509/#Certificate.Verify.

This could be reported as a tag valid=true or validation=success and an integer field validation_code=0i.

Use case:

Needed to detect client issues that could occur using the certificate.

[the-smooth-operator]

I'd love to see this feature implemented.
Today I stumbled on the case where a certificate was (incorrectly) renewed, thus it wasn't valid. My monitoring couldn't catch that because Telegraf did not process it but threw an error message:

2019-07-18T09:25:00Z E! [inputs.x509_cert]: Error in plugin: cannot get SSL cert 'https://example.org:443': x509: certificate is valid for *.other-domain.com, other-domain.com, not example.org

Using tags for reporting it seems a good idea.

[danielnelson]

You may want to set insecure_skip_verify = true in the plugin settings, see #6139 (comment)

[the-smooth-operator]

@danielnelson thanks for your reply.
Setting insecure_skip_verify = true does not work for the case described above. Setting this option makes Telegraf ignoring the fact that the cert is not valid and reporting the time to expire. In this situation, I'm more interested in the fact that I'm using an invalid cert, so users "can't visit my site" rather than know how much time is left for expiration.

I think the plugin should report whether this certificate is valid or not, for example using a tag as you proposed.

Here is an example of using insecure_skip_verify = false:

[[inputs.x509_cert]]
  insecure_skip_verify = false
  sources = [
    "https://wrong.host.badssl.com:443",
    ]

2019-07-19T08:12:06Z E! [inputs.x509_cert]: Error in plugin: cannot get SSL cert 'https://wrong.host.badssl.com:443': x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com

Disabling verification:

[[inputs.x509_cert]]
  insecure_skip_verify = true
  sources = [
    "https://wrong.host.badssl.com:443",
    ]

> x509_cert,common_name=*.badssl.com,country=US,host=banbao,locality=Walnut\ Creek,organization=Lucas\ Garron,province=California,source=https://wrong.host.badssl.com:443 age=73728758i,enddate=1585137600i,expiry=21613641i,startdate=1489795200i 1563523961000000000
> x509_cert,common_name=DigiCert\ SHA2\ Secure\ Server\ CA,country=US,host=banbao,organization=DigiCert\ Inc,source=https://wrong.host.badssl.com:443 age=200779958i,enddate=1678276800i,expiry=114752841i,startdate=1362744000i 1563523961000000000