From 888f5348b387f10f11576c1aac4dbf392d164fb1 Mon Sep 17 00:00:00 2001
From: greg linton <greg@influxdata.com>
Date: Thu, 18 Jul 2019 10:47:28 -0600
Subject: [PATCH 1/2] Add documentation regarding collecting invalid certs

---
 plugins/inputs/x509_cert/README.md         | 2 ++
 plugins/inputs/x509_cert/x509_cert_test.go | 1 +
 2 files changed, 3 insertions(+)

diff --git a/plugins/inputs/x509_cert/README.md b/plugins/inputs/x509_cert/README.md
index a85d05463568e..4a808212aca22 100644
--- a/plugins/inputs/x509_cert/README.md
+++ b/plugins/inputs/x509_cert/README.md
@@ -3,6 +3,8 @@
 This plugin provides information about X509 certificate accessible via local
 file or network connection.
 
+In order to always fetch cert information, it is suggested that you use `insecure_skip_verify = true` as telegraf fails to collect information on invalid certs without it.
+
 
 ### Configuration
 
diff --git a/plugins/inputs/x509_cert/x509_cert_test.go b/plugins/inputs/x509_cert/x509_cert_test.go
index 933676417cf80..ea852c43e05fb 100644
--- a/plugins/inputs/x509_cert/x509_cert_test.go
+++ b/plugins/inputs/x509_cert/x509_cert_test.go
@@ -52,6 +52,7 @@ func TestGatherRemote(t *testing.T) {
 		{name: "successful https", server: "https://example.org:443", timeout: 5},
 		{name: "successful file", server: "file://" + tmpfile.Name(), timeout: 5},
 		{name: "unsupported scheme", server: "foo://", timeout: 5, error: true},
+		{name: "expired certificate", server: "https://expired.badssl.com:443", timeout: 5},
 		{name: "no certificate", timeout: 5, unset: true, error: true},
 		{name: "closed connection", close: true, error: true},
 		{name: "no handshake", timeout: 5, noshake: true, error: true},

From 6f302ae20ded4b17cb8a8457706621ec80c8ca15 Mon Sep 17 00:00:00 2001
From: greg linton <greg@influxdata.com>
Date: Thu, 18 Jul 2019 10:58:23 -0600
Subject: [PATCH 2/2] Add explicit test to prove need for insecure_skip

---
 plugins/inputs/x509_cert/x509_cert_test.go | 31 ++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/plugins/inputs/x509_cert/x509_cert_test.go b/plugins/inputs/x509_cert/x509_cert_test.go
index ea852c43e05fb..e8153598b3f85 100644
--- a/plugins/inputs/x509_cert/x509_cert_test.go
+++ b/plugins/inputs/x509_cert/x509_cert_test.go
@@ -14,6 +14,7 @@ import (
 
 	"github.com/influxdata/telegraf"
 	"github.com/influxdata/telegraf/internal"
+	_tls "github.com/influxdata/telegraf/internal/tls"
 	"github.com/influxdata/telegraf/testutil"
 )
 
@@ -273,3 +274,33 @@ func TestGatherCert(t *testing.T) {
 
 	assert.True(t, acc.HasMeasurement("x509_cert"))
 }
+
+func TestGatherExpiredCert(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	m := &X509Cert{
+		Sources: []string{"https://expired.badssl.com:443"},
+	}
+
+	var acc testutil.Accumulator
+	err := m.Gather(&acc)
+	require.NoError(t, err)
+
+	assert.False(t, acc.HasMeasurement("x509_cert"))
+
+	m = &X509Cert{
+		Sources: []string{"https://expired.badssl.com:443"},
+		ClientConfig: _tls.ClientConfig{
+			InsecureSkipVerify: true,
+		},
+	}
+
+	acc = testutil.Accumulator{}
+	err = m.Gather(&acc)
+	require.NoError(t, err)
+
+	assert.True(t, acc.HasMeasurement("x509_cert"))
+
+}